ISA/IEC 62443 is a series of standards that provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). These standards have been developed by both the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA).
Definition and purpose
IEC 62443 focuses on the security of industrial automation and control systems throughout their lifecycle. The purpose of these standards is to offer a systematic and practical approach to secure IACS in various sectors, ensuring the safety and reliability of systems that are integral to the world's industrial infrastructure.
The standards are developed and maintained by the International Electrotechnical Commission (IEC) in conjunction with the International Society of Automation (ISA).
ISA/IEC 62443 was published in 2018.
IEC 62443 applies to industrial automation and control systems across a range of industries. This includes manufacturing, oil and gas, energy utilities, water treatment, and other sectors that employ automation and control systems.
Controls and requirements
IEC 62443 is comprised of multiple parts, with each part addressing different aspects of IACS security. Some notable parts include:
- IEC 62443-2-1: Establishes requirements for implementing an IACS security management system.
- IEC 62443-3-3: System security requirements and security levels.
- IEC 62443-4-1: Secure product development lifecycle requirements.
Key requirements and controls cover areas such as:
- Security policies and procedures
- System patch management
- Security risk assessments
- Defense-in-depth strategies
- Incident response planning
- Security training and awareness
- Secure system design and architecture
- Access control measures
- Secure coding practices for IACS software
- Regular system monitoring and logging
Please refer to the official ISA/IEC 62443 standard documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
Depending on the context, audits can be conducted by internal teams or third-party assessors. The audits typically involve a combination of documentation review, interviews, system testing, and vulnerability assessments. While the standard itself does not dictate a fixed frequency, best practices suggest an annual audit or assessment, with additional reviews following significant system changes or identified vulnerabilities.
The duration of the audit varies depending on the size and complexity of the IACS in question, the scope of the audit, and the specific parts of the IEC 62443 standard being addressed.