IEC 62443 Series
The IEC 62443 series provides international cybersecurity standards to help safeguard industrial automation and control systems (IACS) across their lifecycle.
IEC 62443 is based on industry best practices to secure IACS technologies in critical infrastructures such as transportation and health care, power, energy, and water utilities.
International Cybersecurity Standards
The International Electrotechnical Commission (IEC) 62443 consists of cybersecurity standards that increase cyber resilience, help mitigate effects of malicious intrusion and exploitation, bolster security throughout the lifecycle, and control costs. IEC 62443 is designed to address not only the technology that is part of the control system but also the workflows and policies and employee training.
It takes a risk-based approach, where organizations can use IEC 62443 standards to asses their cybersecurity risks to each system, identify their most valuable assets and determine their vulnerabilities, then decide how to address those risks. To this end, 62443 has five security levels (SLs) based on what they can protect against, ranging from SL 0, no security, to SL 4, resistant against nation state attacks, with specific security requirements defined for each level.
IEC 62443 standards are organized into four categories with corresponding documents:
- General documents provide an overview of the industrial security process and introduce essential concepts.
- Policies and procedures highlight the importance of policies that are critical to establishing industrial systems security.
- System documents explains how to secure systems as part of an integrated system.
- Component documents describe the requirements necessary for secured industrial components.
The International Society of Automation (ISA) established the ISA99 standards committee in 2002 based on the need to secure U.S. critical infrastructure equipment and operations against cyberattacks. The ISA99 committee and the IEC Technical Committee 65 Working Group 10 collaborated to develop the ISA/IEC 62443 cybersecurity standards, and in 2021, IEC recognized it as a horizontal standard. This means they are applicable to a range of different industries. According to the ISA website, these standards offer the following guidance:
- Defining common terms, concepts, and models that can be used by all stakeholders responsible for control systems cybersecurity
- Helping asset owners determine the level of security required to meet their unique business and risk needs
- Establishing a common set of requirements and a cybersecurity lifecycle methodology for product developers, including a mechanism to certify products and vendor development processes
- Defining the risk assessment processes that are critical to protecting control systems