The International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance (ISAGCA) has announce that the International Electrotechnical Commission (IEC) has officially designated the IEC/ISA 62443 series of standards as “horizontal,” meaning that they are proven to be applicable to a wide range of different industries.
According to the IEC decision, “The IEC Technical Committee 65 (TC 65) publishes IEC 62443 for operational technology found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare, and transport systems. These horizontal standards, also known as base standards, are technology independent. They can be applied across many technical areas.”
ISA99 co-chair Eric Cosman comments: “The ISA99 committee of the International Society of Automation (ISA) and IEC Technical Committee 65 Working Group 10 have been collaborating on the development of the ISA/IEC 62443 cybersecurity standards for industrial automation and control systems (IACS) cybersecurity for many years.
“While broad applicability has always been the intent, there has been a common perception that they were most appropriate for process industries such as chemicals and refining.
“Despite that perception, there have been several examples of successful applications in other sectors, such as transportation, building automation, metals and mining, and discrete manufacturing. It’s ultimately best for users if they can rely on one set of sector-agnostic standards, and we are very happy to receive the IEC decision to designate the ISA/IEC 62443 series as horizontal standards.”
The ISA/IEC 62443 series of standards is the world’s only consensus-based cybersecurity standard for automation and control system applications. These standards codify hundreds of years of operational technology and IoT cybersecurity subject matter expertise.
Using the ISA/IEC 62443 series of standards as a foundation, companies can focus on adopting security as part of the operations lifecycle, ensuring compliance with various aspects of the standards across their supply chains, and including cybersecurity in operational risk-management profiles.
“While this news might seem like a procedural detail, it will have significant implications,” says Cosman. “Various other IEC technical committees that represent the needs and interests of specific sectors will presumably base their cybersecurity-related efforts on what is in the 62443 standards, focusing on defining how they should be interpreted and applied in a given set of circumstances.
“This will almost certainly lead to the creation of a set of sector-specific profiles for this purpose. To help in this effort, TC65 WG10 is developing guidance on how to develop such profiles, rather than pursue sector-specific and perhaps inconsistent standards. Guidelines, frameworks, training materials, and other resources can also take on a more general focus, incorporating the needs of many sectors.”
The designation of the ISA/IEC 62443 series as a horizontal standard will have many benefits to stakeholders:
* Asset owners who have a presence in or exposure to more than one sector will be able to align their cybersecurity programs, leveraging ISA/IEC 62443 as the one single source for the fundamental principles and requirements of automation cybersecurity.
* Automation system suppliers will be able to certify their products for a broader range of applications, using a common set of conformance specifications based on 62443.
* IEC TC 65 WG 10 and the ISA99 committee will be able to focus their efforts on collaboration and advancement of the series of standards, especially around current demands in areas such as IIoT, sensor-level security, and supply chain risks.
* The ISA Global Cybersecurity Alliance (ISAGCA) and its 50+ member companies will partner with asset owners and suppliers to build relevant, applications-focused materials to enable companies in different sectors around the world to adopt and implement the series of standards at scale.
“The member companies of the ISA Global Cybersecurity Alliance have long believed in the broad applicability of the ISA/IEC 62443 series of standards,” says ISAGCA chair Megan Samford. “We could not be more excited to see this news from IEC, because it echoes and confirms the work we’ve done.
“This series of standards is the only complete set of practices and security capabilities that can be applied to consistently assess and improve cybersecurity for operational technology systems, and our members stand ready to help companies all over the globe implement it successfully.”