IEC 62443 is a series of standards that address cybersecurity for operational technology in automation and control systems. The series is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity. The series is also known as ISA/IEC 62443 in recognition of the fact that much of the initial development was done by the ISA99 committee of the International Society for Automation.
It divides the cybersecurity topics by stakeholder category / roles including:
The different roles each follow a risk-based approach to prevent and manage security risks in their activities.
As an international standard, the IEC 62443 family of standards is the result of the International Electrotechnical Commission (IEC) standards creation process where all national committees involved agree upon a common standard. Multiple organizations and committees submitted input to the IEC working groups and helped shape the IEC 62443 family of standard.
Starting in 2002, the International Society of Automation (ISA), a professional automation engineering society and ANSI-accredited standards development organization (SDO) established the Industrial Automation and Control System Security standards committee (ISA99). The ISA99 committee developed a multi-part series of standards and technical reports about Industrial Automation and Control System (IACS) cyber security. These work products were submitted by ISA for approval and then published as North American ANSI standards. The ISA standards documents originally referred to as ANSI/ISA-99 or ISA99 standards were renumbered to be the ANSI/ISA-62443 series in 2010. The content of this series was submitted to and used by the IEC working groups.
In parallel, the German engineering associations VDI and VDE released the VDI/VDE 2182 guidelines in 2011. The guidelines describe how to handle information security in industrial automation environments and were also submitted to and used by the IEC working groups.
In 2021, the IEC approved the IEC 62443 family of standards as 'horizontal standards'. This means that when sector specific standards for operational technology are being developed by subject matter experts, the IEC 62443 standards must be used at the foundation for requirements addressing cybersecurity in those standards. This approach serves to avoid the proliferation of partial and/or conflicting requirements for addressing cybersecurity of operational technology across industry sectors where the same or similar technology or products are deployed at operating sites.
IEC 62443 Industrial communication networks - Network and system security series of standards is organized into four parts:[1]
The following table lists the parts of the IEC 62443 series of standards published to date with their status and title.
Policies and Procedures | System | Components and Requirements | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
1-1 | Technical Specification, Edition 1.0, July 2009[2] | Concepts and models | 2-1 | Edition 1.0, November 2010 | Security program requirements for IACS asset owners | 3-1 | Technical Report, Edition 1.0, July 2009[3] | Security technologies for industrial automation and control systems (IAC) | 4-1 | Edition 1.0, January 2018 | Secure product development lifecycle requirements | |
2-3 | Technical Report, Edition 1.0, June 2015[4] | Patch management in the IACS environment | 3-2 | Edition 1.0, June 2020[5] | Security risk assessment and system design | 4-2 | Edition 1.0, February 2019 | Technical security requirements for IACS components | ||||
2-4 | Edition 1.1, August 2017 | Requirements for IACS service providers | 3-3 | Edition 1.0, August 2013[6] | System security requirements and security levels | |||||||
1-5 | Technical Specification, Edition 1.0, September 2023 | Scheme for IEC 62443 security profiles |
IEC 62443 describes different levels of maturity for processes and technical requirements. The maturity levels for processes are based on the maturity levels from the Capability Maturity Model Integration (CMMI) framework.
Based on CMMI, IEC 62443 describes different maturity levels for processes through so-called "maturity levels". To fulfill a certain level of a maturity level, all process-related requirements must always be practiced during product development or integration, i.e. the selection of only individual criteria ("cherry picking") is not standard-compliant.
The maturity levels are described as follows:
Technical requirements for systems (IEC 62443-3-3) and products (IEC 62443-4-2) are evaluated in the standard by four so-called Security Levels (SL). The different levels indicate the resistance against different classes of attackers. The standard emphasizes that the levels should be evaluated per technical requirement (see IEC 62443-1-1) and are not suitable for the general classification of products.
The levels are:
The standard explains various basic principles that should be considered for all roles in all activities.
Defense in Depth is a concept in which several levels of security (defense) are distributed throughout the system. The goal is to provide redundancy in case a security measure fails or a vulnerability is exploited.
Zones divide a system into homogeneous zones by grouping the (logical or physical) assets with common security requirements. The security requirements are defined by Security Level (SL). The level required for a zone is determined by the risk analysis.
Zones have boundaries that separate the elements inside the zone from those outside. Information moves within and between zones. Zones can be divided into sub-zones that define different security levels (Security Level) and thus enable defense-in-depth.
Conduits group the elements that allow communication between two zones. They provide security functions that enable secure communication and allow the coexistence of zones with different security levels.
Processes, systems and products used in industrial automation environments can be certified according to IEC 62443. Many testing, inspection, and certification (TIC) companies offer product and process certifications based on IEC 62443. By accrediting according to the ISO/IEC 17000 series of standards, the companies share a single, consistent set of certification requirements for IEC 62443 certifications which elevates the usefulness of the resulting certificates of conformance.
IEC 62443 certification schemes have been established by several global testing, inspection, and certification (TIC) companies. The schemes are based on the referenced standards and define test methods, surveillance audit policies, public documentation policies, and other specific aspects of their program. Cybersecurity certification programs for IEC 62443 standards are being offered globally by many recognized Certification Bodies (CB), including Bureau Veritas, FM Approvals, Intertek, SGS-TÜV Saar, TÜV Nord, TÜV Rheinland, TÜV SÜD and UL.
A global infrastructure of national accreditation bodies (AB) ensures consistent evaluation of the IEC 62443. The ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting conformity assessment bodies. ABs are members of the IAF for work in management systems, products, services, and personnel accreditation or the ILAC for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs.
TIC companies are accredited by an AB to provide inspection according to the ISO/IEC 17020, testing laboratories according to ISO/IEC 17025 and certification of products, processes, and services according to ISO/IEC 17065.
The IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE) Certification Body Scheme (CB Scheme) is a multilateral agreement that facilitates market access for manufacturers of electrical and electronic products. Under the CB Scheme processes, products and systems can be certified according to IEC 62443.
The origin of the CB Scheme comes from the CEE (former European "Commission for Conformity Testing of Electrical Equipment") and was integrated into the IEC in 1985. Currently, 54 Member Bodies are in the IECEE, 88 NCBs (National Certification Bodies), and 534 CB Test Laboratories (CBTL). In the field of product certification, this procedure is used to reduce the complexity in the approval procedure for manufacturers of products tested and certified according to harmonized standards. A product that has been tested by a CBTL (certified testing laboratory) according to a harmonized standard such as the IEC 62443, can use the CB report as a basis for a later national certification and approval such as GS, PSE, CCC, NOM, GOST/R, BSMI.
The ISA Security Compliance Institute (ISCI), a wholly owned subsidiary of the ISA, created an industry consensus conformity assessment scheme that certifies to the ISA/IEC 62443 standards and operates under the ISASecure brand. This scheme is used to certify automation control systems, components and processes. ISASecure certifications were expanded to include the Industrial IOT component certification (ICSA) in December 2022. Certification Bodies in the ISASecure certification scheme are independently accredited by ISO 17011 Accreditation Bodies to the ISASecure technical readiness requirements and the ISO 17025 and ISO 17065 standards. Multilateral recognition agreements under the IAF ensure that the ISASecure certifications are mutually recognized by all global IAF signatories.
The ISCI offers multiple certifications under the ISASecure brand: