Here’s a guide to IEC 62443. After going through this (somewhat short) IEC 62443 guide, you will understand how it helps you secure your Industrial Automation and Control Systems (IACS for short) against cyber threats.
Let us understand more about it, why it was developed and where it can be used.
Update: There have been changes in IEC 62443 in the year 2024. Please read about the IEC 62443 latest version here
What is IEC 62443?
IEC 62443 is not a single document, but a set of standards, practices and technical reports that have been developed over a decade by joint global efforts of different voluntary bodies and standards organizations. ISA (Instrumentation, Systems and Automation society, formerly known as the Instrument Society of America), in collaboration with IEC (International Electrotechnical Commission) were the primary drivers behind this work. Many parts have been developed by various working groups of ISA and other parts by working groups of IEC. After ANSI (American National Standards Institute) approval, this standard is officially now referred to as ANSI/ISA/IEC 62443.
The standard is still a work in process and not all parts have been published, yet the parts that are available are useful enough to secure your IACS and other OT (Operational Technology) systems. The current structure is shown below. Draft parts may be available for comment to stakeholders and standards committee members.
Update June 2024: This is the older version of Categories in IEC 62443. Here is the latest IEC 62443 infographic
Note that more parts will be added, in addition to the ones shown in this graphic. This standard has now been declared as a Horizontal standard, meaning that it is not just applicable to the process industries (such as chemical manufacturing plants or oil and gas fields), but also to any business sector that has Operational Technology as a critical element.
Typical examples are discrete parts manufacturing plants, electrical grid infrastructure such as electricity distribution networks, city water supply systems, sewage plants, smart warehouses that have critical building automation systems for climate control and so on. In short any facility or business that depends on OT for its continued existence can make use of IEC 62443.
How can I understand IEC 62443?
In order to understand the standard, you have to first understand a lot of concepts related to Industrial Automation and Control Systems, as well as Cybersecurity. The easiest way to go about this to take the Abhisam Industrial Cybersecurity training course (Certified Industrial Cybersecurity Professional) that covers all of this in great detail. This is not your typical plain vanilla cybersecurity course, but a specialized OT cybersecurity course,
Once these concepts are understood, then IEC 62443 will start making sense. After completing the course and passing the exam you earn the title of CICP and an electronic badge that can be displayed online, on social media sites such as LinkedIn, to enhance your professional visibility.
There are various IEC 62443 training courses available, the Abhisam CICP Course (Standard as well as Professional) include the basics of IEC 62443. The Abhisam CICP Course (Professional) includes IEC 62443-2-4 training.
Does an IEC 62443 checklist exist?
IEC 62443 is a multi part standard, with each part having many aspects. It is not just a single document that can be checked for compliance with a checklist. Not all parts may apply to your situation. The best way is to first take the CICP course (which includes a module on IEC 62443), then study the different parts of the standard and then start working on a checklist.
The CICP Course (Professional version) does have a module, “Understanding IEC 62443-2-4” that has a multi-part table to know how to comply with various aspects of this part of the standard. A checklist can be developed based on this.
Who can make use of IEC 62443?
Industrial manufacturing plants and facilities, as well as installations such as Oil Terminals, City Water supply plants, Pipeline networks, power generation plants, electrical grid networks, port handling facilities are all considered as “Assets”. These are typically operated by asset owners themselves, or in some cases by separate entities known as “operators” (here operators does not refer to personnel operating the plant but to the company or organization that operates the plant).
Together we refer to these as Asset owner/operators.
These assets utilize Industrial Automation and Control Systems , including Safety Instrumented Systems (SIS), Fire & Gas systems (F & G), that monitor and control these facilities as well as ensure that they remain safe. We refer to these systems as IACS. These IACS may include various types of control systems such as those based on DCS (Distributed Control Systems), PLC (Programmable Logic Controllers) or SCADA (Supervisory Control and Data Acquisition systems).
Every IACS (including those for similar plants) is actually (almost) custom built with different sensors, transmitters, actuators, final control elements, controllers and so on. The term IACS includes BPCS (Basic Process Control Systems), SIS (Safety Instrumented System) including special SIS such as HIPPS (High Integrity Pressure Protection Systems) and BMS (Burner Management Systems), Building Automation Systems (BAS) or even HVAC control systems that may be critical to maintaining a controlled environment in industries such as pharmaceutical manufacturing, clean rooms, silicon wafer fabs, etc.
These assets and the IACS are designed and engineered by various organizations such as design engineering consultants, IACS vendors and system integrators and EPC (Engineering Procurement and Construction) companies. More entities may be involved in the basic design of the asset, such as government regulatory bodies (who may issue permits). This is the ecosystem that is involved. All of them can make use of various parts of the standard.
For example, devices such as field instruments (such as Pressure transmitter or Flow transmitters), PLCs and DCS controllers should be conformant to IEC 62443-4-1 and IEC 62443-4-2. If Industrial IoT devices are present in the IACS then they should conform to the new upcoming IEC 62443-4-3 standard. The IACS vendors and system integrators should follow IEC 62443-2-4 while building the IACS.
Thus all the entities that are involved in designing, engineering, building, installing, commissioning and operating these assets can make use of the different IEC 62443 parts that apply to them.
Is IEC 62443 an OT security standard?
Yes, IEC 62443 is an OT security standard. OT is short for Operational Technology, which means the tech that is required to run facilities such as industrial plants or machinery, or even ships or vehicles. OT includes all Instrumentation, Automation, Control systems and safety systems that are used to monitor and operate assets.
Why do we need a separate OT security standard?
IT security refers to the cybersecurity of Information Technology based systems. IT systems are basically data processing systems as opposed to OT systems that run physical equipment. IT systems include ERP systems (such as SAP), banking systems (including mainframe systems or those using AS 400 systems and similar), credit card & payments processing or stock trading systems. In these systems there are no physical objects that are controlled, only data. OT systems control physical objects and are also referred to as cyber physical systems.
The security goals and situations regarding IT security and OT security are different. Poor OT security can actually cause physical events such as fires or loss of containment. Poor IT security can cause loss of data, including confidential data as well as loss of money but cannot cause direct physical harm to anybody.
Can I get an IEC 62443 pdf?
As already stated, this is a multi part standard and not all parts have been published so far. ISA members can view the parts developed by ISA on their website as part of their member benefits. However in case a pdf is needed it has to be purchased from the ISA store. The parts developed by IEC can be purchased from the IEC webstore.
Is IEC 62443 the only standard used for OT security?
No there are other documents and standards, based on the industry in which you operate. For example, for large electricity suppliers (BES-Bulk Electricity Suppliers) in North America the NERC CIP plan applies. NERC- CIP is short for the North American Electric Reliability Corporation Critical Infrastructure Protection standard. This is a legal requirement.
Other guidance documents include the NIST 800-82 standard for OT security. Currently Rev 3 is being worked on and should be released soon.