Drives and Controls Magazine
Home
Menu
Cyber-security standard tackles risks of using IT measures
Published:  21 August, 2013

The ISA (International Society of Automation) has published a standard that addresses the risks that arise from the growing use of business IT cyber-security measures to address cyber-security in complex and dangerous manufacturing and processing applications.

The new standard – ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels – was approved as an American National Standard on 13 August 2013. An essentially identical version will be published by the IEC later this year as IEC 62443-3-3.

The ISA-62443 series of standards, being developed by the ISA’s ISA99 committee and adopted globally by the IEC, is designed to provide a flexible framework to address and mitigate current and future vulnerabilities in industrial automation and control systems (IACS).

IACS security goals typically focus on control system availability, plant protection, plant operations, and time-critical system responses. IT security systems often focus more on protecting information than physical assets.

For this reason, use of IT cyber-security measures to address IACS security must be implemented knowledgably to avoid unintended vulnerabilities that could lead to potentially disastrous health, safety, environmental, financial, and/or reputational impacts in control systems.

The new standard addresses this concern with an approach to defining system requirements based on a combination of functional requirements and risk assessment, and an awareness of operational issues.

“This standard provides highly relevant and practical direction to asset owners, system integrators and suppliers by describing the major system-level technical requirements for a secure IACS,” says Eric Cosman of the Dow Chemical Company, who co-chairs ISA99. “It serves as a cornerstone in the ISA-62443/IEC 62443 series, complementing other standards, including ISA-62443-2-1, which addresses the processes and procedures needed for security.”

In developing the standard, the ISA99 committee drew on the input and knowledge of IACS security experts around the globe. Unlike programs targeted at a single industry, ISA99 is applicable to all sectors of industry and to critical infrastructure. It recognises the interrelated nature of industrial computer networks in which cyber-vulnerabilities exploited in one sector can impact other sectors and infrastructure.

“The new standard represents a collaborative effort of experts from multiple industries around the world,” says the ISA99’s task group leader for the project, Jeff Potter of Emerson Process Management. “Our joint work with IEC experts provides users with assurance that this is a truly global standard that can be used to design, build, operate and regulate with full confidence in its longevity and cross-national applicability.”

The new standard provides technical control system requirements associated with seven key requirements described in ISA‑62443‑1‑1 (99.01.01), including defining the requirements for control system capability security levels. Those responsible for IACS cyber-security will use these requirements to develop the appropriate control system target security levels for specific assets.

The standard can be downloaded from www.isa.org/findstandards by choosing 62443 from the drop-down list and scrolling down.