Abhisam is pleased to announce that the Industrial Cybersecurity Training Course (Certified Industrial Cybersecurity Professional) has now an updated module on OT Security standards. The previous module titled IACS Security Standards has been thoroughly revised and has got several new sections that cover a lot about the parts of the ANSI/ISA/ IEC 62443 standard that have been published so far.
What is the CICP program?
Abhisam introduced the Industrial Cybersecurity course in 2018, as there were a lot of requests for training related to the rapidly growing domain of ICS cyber security, due to the growing number of attacks on Industrial Control systems and critical infrastructure, coupled with little awareness of the subject, both in the Industrial Automation field, as well as in the cybersecurity community.
This program was updated several times since inception and has evolved to become the CICP -Certified Industrial Cybersecurity Professional course. Due its extensive coverage of the topics in the ICS security and OT security domain, yet at a comparatively much lower cost (perhaps the only program that costs less than $800 US, whereas others cost in thousands of dollars and you have to enroll in several of them to learn everything), this program became popular globally.
Who has taken this course?
Many marquee companies including Black & Veatch, FLSmidth, SASOL, GALP and others enrolled their employees in the course and got certified. Several individuals and security professionals, working with organizations such as Honeywell, Yokogawa, ARAMCO and also independent security consulting companies also enrolled as individuals and have got certified.
What is IEC 62443?
The ANSI/ISA/IEC 62443 set of standards and practices is a joint effort by the ISA 99 committee that worked on Industrial Cybersecurity for many years. Their efforts resulted in a planned set of standards that dealt with all aspects of securing Industrial Control Systems, whether based on DCS, PLC, SCADA or other technologies and architectures, whether used as BPCS (Basic Process Control Systems) or SIS (Safety Instrumented Systems) or as Building Automation systems.
ISA later on collaborated with IEC (International Electrotechnical Commission) for working on a common set of standards and their joint efforts resulted in the series now referred to as ANSI/ISA/IEC 61443 series of standards. Many parts of this series have been published by ISA and some parts by IEC. However, all parts whether published originally by ISA or IEC, are now included in the series and referred to as ANSI/ISA/IEC 62443 or simply as IEC 62443 or even just as the “62443 series”
How many parts are there in IEC 62443?
There are now about 14 parts in the IEC 62443 series, although some more are being planned. Note that even among the 14 parts, not all have been published and some are still in the draft/planning stage. Only the published parts have been included in the module, although all parts have been shown.
Why focus on IEC 62443?
The ANSI/ISA/IEC 62443 set of ot security standards are now emerging as the primary reference standards for OT security and not just IACS (Industrial Automation and Control Systems) security. Many of the parts that were in the draft state, have now been published and the new updated OT Security standards module includes key information related to them. With the committee now reported to be including Industrial Internet of Things (IIoT) related aspects, this IEC 62443 set of standards will be the main standard in OT security in the years ahead.
Note that there are other reference standards and good practices published by various other bodies too, such as the NIST 800-82 Rev 3 (still in draft mode) for OT security which you can refer to. NIST is short for the US National Institute for Standards and Technology. Many of the same concepts are used, but IEC 62443 seems more extensive. Also if you work in the North American Power industry whether in generation or distribution ( for > 300 MW) then you also need to comply with the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standard.
So the standard for OT security that you follow will depend on your industry and whether you are subject to any laws or regulations that explicitly state that you need to follow xyz standard. However IEC 62443 is rapidly emerging a consensus standard globally and probably because it is backed by the IEC.
You can read more about the Foundational Requirements of IEC 62443 here.
Why IEC? Why are IEC OT security standards considered global standards?
As you know the IEC (international Electrotectnical Commission) has 60 regular full member countries including the major industrialized and/or rapidly industrializing countries such as the US, Canada, Germany, France, Netherlands, Japan, China, India, Russian Federation, Saudi Arabia, UAE, Oman, Qatar, Singapore, Israel, Iran, Indonesia, UK and others.
There are another set of 23 countries that are in the associate membership state. These include countries like Kazhakstan, Kenya, Nigeria, Bahrain, Estonia, Vietnam and others. (Associate members have full access to all the working documents but almost no voting rights in the
technical work. They are also not eligible for managerial positions within the IEC).
Additional to the above, 87 newly developing and newly industrializing countries are part of the IEC affiliate country program. These include countries such as Angola, Bahamas, Bolivia, Brunei Darussalam, Uzbekistan, Zambia and others.
So the IEC standards can be considered global standards, as most of the countries of the world are associated as IEC members, whether full members, associate members or affiliate members. So no matter in which geography you work with, the IEC 62443 standards are going to be the go to OT security standards if you work in the cybersecurity or the Industrial Automation, Building Automation and even Process and Functional Safety domains. Better to be familiar with them if you work in any of these areas.
Note that the module explains the key concepts related to the standard and how to use it. It is however not a substitute for the actual standard.