Table of Contents
What is IEC 62443?
IEC 62443 is a set of cybersecurity standards specifically tailored for industrial automation and control systems (IACS) and operational technology (OT). Unlike broader frameworks like the NIST Cybersecurity Framework (CSF) or ISO 2700x guidelines, IEC 62443 provides detailed requirements and methods to address the unique security challenges found in industrial environments.
Challenges addressed by IEC 62443 include:
- Protecting data confidentiality
- Preventing cyber-physical failures
- Safeguarding legacy systems
- Maintaining productivity in the face of potential incidents
Initially developed by the International Society of Automation (ISA) ISA 99 standards committee and later adopted by the International Electrotechnical Commission (IEC), these consensus-based standards are regularly updated with input from experts in IACS security. They offer guidance applicable across various industry sectors and critical infrastructure.
IEC 62443 outlines a defense-in-depth model that utilizes “zones” and “conduits,” offers advice on building cybersecurity management systems (CSMS), and provides instructions for conducting risk assessments in IACS/OT environments. It helps organizations define security maturity, choose security products and service providers, and supplement core guidance with technical reports tailored to specific situations.
IEC 62443 Series of Standards
The standards are structured into four parts.
- General: Covers introductory information, vocabularies, concepts, and example use cases.
- Policies and Procedures: Includes program requirements, patching procedures, and implementation guidance.
- System: Addresses assessment approaches, security requirement levels, and recommended technologies.
- Component: Focuses on product lifecycle and technical requirements for system components.
IEC 62443 does not replace existing models such as ISA95 and Purdue; instead, it builds upon them, providing comprehensive coverage of cybersecurity and modern concepts. However, organizations may still find value in using ISA95 and Purdue models for specific security requirements, particularly in scenarios involving Industrial Internet of Things (IIoT) devices connected directly to the Internet or the cloud.
Stay Up to Date with Verve
Subscribe to our newsletter to stay in the loop with the latest OT cyber security best practices.
Verve's Biweekly Newsletter
Subscribe to stay in the loop with the latest OT cyber security best practices.
Fill out form below
Focus on Basics: The IEC 62443 Checklist
IEC 62443 was specifically crafted to steer the development of secure-by-design components for industrial automation and control systems (IACS). It aims to establish a robust security management system centered around operational technology (OT)/IACS, complete with policies, procedures, and best practices. However, navigating its extensive collection of documents can be daunting for newcomers. To ease into it, consider focusing on these foundational documents:
This document lays the groundwork by defining critical terms and establishing fundamental concepts essential for understanding the broader standards collection.
Offering a comprehensive set of requirements, this standard is invaluable for IACS service providers, guiding them through integration and maintenance activities. It also supports the development of tailored security profiles to address industry-specific nuances.
Delving into the technical realm, this standard outlines cybersecurity requirements for various components integral to IACS, including embedded devices, network components, and software applications.
Focusing on the product development lifecycle, this standard lays out process requirements for ensuring the secure development and maintenance of products used within IACS. It covers everything from security requirements definition to product end-of-life considerations.
Recognizing that IACS security is fundamentally a risk management exercise, this standard provides guidance on conducting risk assessments and identifying appropriate security countermeasures. It helps organizations tailor security measures to their specific risk tolerance levels.
This standard defines security assurance levels for IACS components, ensuring that cybersecurity functions embedded in products meet the robustness required for deployment in industrial and critical infrastructure environments.
By reviewing and implementing these standards based on organizational needs, companies can lay a solid foundation for an IEC 62443-oriented security program.
Harnessing the Versatility of IEC 62443 Standards
IEC 62443 is gaining popularity globally, with many countries adopting these standards, shaping a unified framework for industrial cybersecurity. Tailored specifically to address the security needs of Industrial Control Systems (ICS), Industrial Automation and Control Systems (IACS), and Operational Technology (OT), these guidelines offer a wealth of actionable insights, including:
- Conducting cyber risk assessments for OT environments
- Establishing OT cybersecurity management teams
- Implementing patching and other protective measures
- Defining requirements for both solutions and products
- Managing asset and system security throughout their lifecycle
- Securing network zones and conduits through isolation and segmentation
- Developing processes and governance frameworks
Assigning appropriate roles and responsibilities - Evaluating cyber risk reduction factors (CRRFs)
Benefits and Application
These standards serve as a comprehensive knowledge base, complementing existing guidance, fostering new initiatives, and shaping security discussions. They also provide ready-made resources for building foundational OT security programs. Continuously updated and expanded, the IEC 62443 standards encourage participation from all interested parties, offering opportunities to contribute to their evolution.
Organizations approaching cybersecurity from an ISA or engineering-oriented perspective can leverage the IEC 62443 standards either comprehensively or selectively, based on their current and future needs. Whether you’re a vendor, product owner, IT professional, engineer, risk management analyst, or security expert, IEC 62443 offers significant value as a primary or supplementary source of information.
Understanding Zones, Conduits, and Security Levels
IEC 62443 provides crucial guidance for securing Industrial Control Systems (ICS), focusing on core concepts such as Systems under Consideration (SuCs), Security Levels (SLs), “zones,” and “conduits.” This framework helps ICS/OT security professionals assess, design, and implement cybersecurity architectures and manage cyber-related risks through methods like FMEA, HAZOP, and LOPA studies.
Security Levels and Their Categories
Initially, asset owners select a System under Consideration (SuC) and define pre-defined Security Levels (SLs) to describe the desired target security levels (SL-Ts), achieved levels (SL-As), and capability levels (SL-Cs) for the SuC or its subsystems.
These Security Levels are categorized as follows:
- SL 4: Protection against intentional violation using sophisticated means with extensive resources, specialized skills, and high motivation.
- SL 3: Protection against intentional violation using sophisticated means with moderate resources, specialized skills, and moderate motivation.
- SL 2: Protection against intentional violation using simple means with limited resources, basic skills, and low motivation.
- SL 1: Protection against casual or coincidental violation.
Application of Security Levels in Zones and Conduits
Asset owners can then apply these levels based on how the System under Consideration is divided into “zones” and “conduits.”
- Zones: Logical or physical groupings of assets with shared security requirements based on factors like criticality and consequence.
- Conduits: Asset groupings dedicated solely to communication, sharing the same security requirements. Conduits can also represent communication tunnels between zones.
This taxonomy allows architects, engineers, and security professionals to describe desired risk levels and mechanisms needed to achieve specific security objectives or Cyber Risk Reduction Factors (CRRFs).
Although there are similarities to ISA 95 layers, the overlap mostly pays homage to IEC 62443’s predecessor. What matters is that IEC 62443 standards offer robust guidance for asset owners to build comprehensive OT/IACS programs and standardize their security taxonomy, design elements, and requirements.
The Aligned Cybersecurity Management System (CSMS)
The IEC 62443 standards offer a structured approach to building a robust security program tailored for systems used in industrial settings like manufacturing or utilities. This program, known as a Cybersecurity Management System (CSMS), focuses on three core areas: understanding and analyzing risks, implementing risk mitigation measures, and continuously monitoring and improving the system’s effectiveness.
Components of the CSMS
Within each of these areas, specific guidelines are provided, covering aspects such as establishing the rationale for the system, conducting thorough risk assessments, defining organizational policies and structures, providing training and awareness programs, implementing technical safeguards, ensuring compliance with standards, and conducting regular performance evaluations.
Example CSMS Requirements Matrix
For instance, an excerpt from the condensed version of the CSMS requirements outlines various metrics for assessing an organization’s adherence to security standards. While the standards don’t dictate specific measurement criteria, many organizations use established frameworks like CMMI or simpler rating systems such as FULLY, PARTIALLY, MINIMAL, NONE, and N/A.
Flexibility and Implementation of Requirements
The IEC 62443 CSMS document contains approximately 127 requirements, with flexibility in their implementation timelines. Some requirements may focus more on policy formulation, while others may require substantial effort and commitment for implementation. For example:
- 2.3.12 Conduit risk assessments throughout the lifecycle of the IACS.
- 3.2.3.2 Establish the security organization(s).
- 3.2.5.3 Develop and implement business continuity plans.
- 3.3.2.4 Address security responsibilities.
- 3.4.3.1 Define and test security functions and capabilities.
Security is an ongoing endeavor that demands dedicated resources, time, and strategic planning. The IEC 62443 CSMS is a foundational framework for addressing core security concerns, including risk assessment, resource allocation, policy development, technology deployment, and performance monitoring.
Guiding Risk Assessment
Once the System under Consideration (SuC) is identified, conducting an assessment according to the process outlined in ISA-62443-3-2—or tailoring it to fit the organization or client—provides an effective method for uncovering risks and recommending strategies or action plans to manage them.
Assuming competent assessors are involved, the IEC 62443 process for performing an OT security risk assessment (SRA) is well-structured. It can draw on past assessments, such as gap analyses, cyber maturity reviews, PHAZOPs, LOPA reviews, and others, to ensure consistency and repeatability. The assessment can be conducted at a high level (depicted by the blue process) or in more detail (illustrated by the orange process), or a combination of both.
However, it’s important to recognize that academic or paper-based assessments are only effective if they are conducted by knowledgeable and skilled assessors, utilize a rigorous and comprehensive assessment process, gather accurate and relevant data, and result in actionable recommendations that are implemented to mitigate identified risks. Assessments may fail to provide meaningful insights or contribute to effective risk management strategies without these elements.
Securing Product Development Lifecycles with IEC 62443
IEC 62443 standards offer a comprehensive framework of requirements and processes for securing product development lifecycles (SDLCs) tailored for IACS/ICS/OT environments. However, they provide a more general overview compared to detailed guidelines found in resources like NIST special publications (SP), which outline specific technical capabilities and best practices for user and encryption management.
Despite this limitation, IEC 62443-3-3 outlines the essential Foundational Requirements (FRs) and incorporates processes for various security measures, including user authentication, role enforcement, change management, encryption, network segmentation, audit logging, and system backup and recovery. Additionally, employing IEC 62443-4-2 as a Cybersecurity Management System (CSMS) provides a comprehensive list of sub-requirements, all categorized according to the seven FR areas specified in IEC 62443-3-3.
However, achieving a specific security level target (SLT) during product development entails meeting and designing for specific requirements.
Creating a secure product requires more than just checking boxes. Product vendors need to identify the necessary requirements and follow a multi-phase development process to implement them effectively.
Most of a product’s lifecycle is spent in the design, development, verification, release, deployment, and response phases. There’s a good reason for this.
Industrial products are developed like most other technology wares. However, most of an industrial product’s lifetime is spent not in development but in maintenance, updating, and bug fixing. The post-release period is poorly accounted for in terms of tracking costs or efforts but remains critical for maintaining robust, durable, secure-by-design systems.
Many vendors and Original Equipment Manufacturers (OEMs) view product development as a one-time task, guided solely by sales or implementation requirements. This mindset, coupled with the misconception that security increases costs, often leads to the creation of insecure products from the outset. However, contrary to popular belief, implementing security measures does not necessarily result in higher costs or added complexity during deployment and usage. In reality, a significant portion of vulnerabilities in Industrial Control Systems (ICS) and Operational Technology (OT) devices or applications stem from poor engineering, inadequate testing, and subpar component maintenance.
IEC 62443 standards delineate processes and requirements for securely designing and developing products. They establish basic security requirements, advocate for improved coding practices, and promote risk-aware deployment strategies. Organizations already engaged in or planning to implement Software Development Lifecycle (SDLC) practices can leverage IEC 62443 to enhance their existing procedures.
Using IEC 62443 for Product Selection and Procurement
Similar to other standards and frameworks, IEC 62443 provides guidance to enhance existing processes for scoping technology projects, selecting vendors, and procuring products.
For instance, an organization aiming to establish a secure machine cell for a new process, with a basic level of security (e.g., SLT-1) to prevent accidental issues, can refer to the requirements outlined in ISA-62443-3-3 and related documents. By doing so, they can develop pre-selection criteria and achieve their security objectives. Additionally, these standards can dictate the inclusion of security verification in factory and site acceptance testing before final handoff.
While there are numerous requirements for each security level, knowledgeable individuals or teams can extract a subset of requirements and align the standard with a minimal set of practical guidelines for reuse throughout the organization.
Ensuring that requirements are met and validated before entering the design phases helps alleviate security concerns and ultimately reduces the total cost of ownership (TCO) throughout the system’s lifespan.
Integrating IEC 62443 with Other Frameworks and Standards
IEC 62443 standards are largely compatible and align well with established guidance like the NIST CSF. However, there are notable differences in terminology and application. Therefore, leveraging specific overlays for OT and adapting IT variations is necessary to address exceptions in a converged OT/IT environment. Achieving the optimal outcome necessitates a degree of creativity from organizations.
The ISA27001 standard is well-known in the corporate world for its detailed security protocols, focusing primarily on processes and IT. On the other hand, the NIST Cybersecurity Framework and its OT supplement (NIST-SP800-82) can be adapted to suit OT needs, covering five main functional areas. It’s important to note that having any standard in place is preferable to having none, and these standards can be tailored to fit OT requirements based on factors like audience, corporate culture, engineering approaches, and industry specifics.
Recognizing the Limits of IEC 62443 in Cyber-Physical Systems
While IEC 62443 is a valuable tool for securing cyber-physical systems, it is not intended to replace safety standards like ISA84/SIL or PHAZOPS. These standards often lack specific guidance for electronic/networked/computerized systems, making IEC 62443 a helpful addition.
However, IEC 62443 cannot replace extensive safety and reliability standards or thorough PHAZOP studies. It is essential to use all these standards together to identify risks and potential impacts, ensuring organizational continuity and preventing negative Health-Safety-Environment (HSE) incidents.
Getting Started with IEC 62443
When implementing IEC 62443, it’s important to see it as a tool for identifying gaps and enhancing existing security programs rather than replacing them entirely. It’s also beneficial for addressing the security implications of digitalization on traditional mechanical processes and protocols, such as disaster recovery.
One effective approach may involve:
- Identifying security gaps and reviewing past risk assessments.
- Prioritizing areas for improvement based on cost, effort, relevance, and potential risk reduction.
- Determining the necessary IEC 62443 requirements or work packages.
- Completing the identified work packages and ensuring they are implemented effectively.
Looking at it differently, organizations already using a NIST CSF-style framework can benefit from implementing IEC 62443 standards in several ways:
- Establishing a security program that bridges IT and OT realms, ensuring the correct terminology is used, and addressing specific concerns related to Industrial Control Systems (ICS).
- Defining security requirements for procuring new products and conducting factory/site acceptance testing.
- Validating existing policies and procedures to ensure they adequately address OT security needs and are relevant to the domain.
- Offering guidance on selecting firewalls and developing patch management strategies for OT/ICS systems.
- Implementing an OT/IACS risk management and assessment process.
Numerous approaches exist to effectively integrate these standards and establish the necessary security language to facilitate communication within your organization and beyond.
IEC 62443 Certification Options
Similar to standards like ISO 27001, individuals and organizations can pursue certifications tailored specifically for IEC 62443, including:
- Individual Certification: Individuals can choose to take ISA’s four exams, which cover core concepts such as fundamentals, risk assessment, design, and maintenance. Completing all four exams earns the individual the designation of ISA/IEC Cybersecurity Expert.
- Product Certification: Vendors have the option to certify their products as compliant with IEC 62443 for various security levels.
- Site/System Certification: Asset owners can certify their sites or systems in accordance with the IEC 62443 standards.
For more detailed information on IEC 62443 certification options, visit the ISA website. Additionally, ISA members have access to the standards for free viewing online.
How Verve Aligns to IEC 62443
Verve draws upon over 30 years of experience in the process control/OT domain to align with the principles of IEC 62443. This wealth of OT knowledge ensures that both our specialized services and the Verve platform are compatible with a wide range of OEM equipment, enabling us to assist virtually any OT/ICS organization in enhancing its security posture, even with proprietary embedded control devices.
Verve’s asset management, detection, compliance, and protection capabilities serve as a centralized hub of information, facilitating risk assessment activities within your organization. Our platform seamlessly operates in both IT and OT environments, accommodating various frameworks such as NIST CSF, IEC 62443, or CSC20 (now known as CSC18) to meet your organization’s unique needs.
Leveraging our extensive OT expertise and comprehensive platform, Verve offers several advantages over alternative solutions and cybersecurity services for organizations.
Complying with security requirements poses significant challenges for industrial organizations due to labor shortages and knowledge gaps. While tools are essential, human expertise is crucial for achieving ongoing compliance. At Verve, we recognize this and offer a unique platform combined with various options to help clients assess, remediate, and maintain security standards.
We provide a range of managed services tailored for operational environments, catering to clients with budget constraints. Our subscription services offer cost-effective solutions delivered by our highly skilled team. We leverage shared research across our client base by monitoring third-party and vendor-related applications, spreading costs efficiently.
Additionally, we offer on-site services to support tasks like patching, updates, and assessments (including those based on IEC 62443 mandates). These services can be scheduled or provided ad-hoc to suit your needs. Furthermore, Verve ensures 24/7 emergency technical support and accessibility, delivering top-tier skillsets to benefit your organization.
The table below outlines our managed services capabilities:
Read more about the specific alignment between Verve Industrial for IEC 62443.