ISA/IEC 62443
The World’s Only Consensus-Based Automation and Control Systems Cybersecurity Standards – Developed by the International Society of Automation
The Foundation of Our Work is ISA/IEC 62443
Enabling a vigilant proactive cybersecurity culture in every facility
ISAGCA is driven to generate greater industrial reach and awareness of ISA/IEC 62443 - the leading international standards for OT cybersecurity. ISAGCA also works to ensure workforce training and development is aligned with the principles of ISA/IEC 62443, which enables everyone to have a skilled, experienced workforce that drives results. ISA/IEC 62433 provides a common set of requirements that enables product suppliers to deliver reliable, secure, and interoperable devices and systems.
About the ISA/IEC 62443 Series of Standards
Developed by ISA – the International Society of Automation
Using the ISA/IEC 62443 series of standards as a foundation, companies can focus on adopting security as part of the operations lifecycle, ensuring compliance with various aspects of the standards across their supply chains, and including cybersecurity in operational risk-management profiles.
The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. The series approaches the cybersecurity challenge in a holistic way, bridging the gap between operations and information technology; and between process safety and cybersecurity.
Focus & Benefits
Shared Responsibility
A founding principle of the ISA/IEC 62443 standards is the concept of shared responsibility as a necessary part of securing automation. The standards define requirements for key stakeholder groups who are involved in control system cybersecurity. Stakeholder groups include asset owners (end users), automation product suppliers, integrators who build and maintain control system solutions and their components, and service suppliers who support the operation of control systems.
Stakeholders
The roles played by various stakeholders - asset owners, maintenance service providers, integration service providers, and product suppliers, are all addressed by different parts of the ISA/IEC 62443 series of standards. This graphic shows the roles, responsibilities, and relevant 62443 standards for each:
Security Lifecycle
The ISA/IEC 62443 series addresses the security of industrial automation and control systems (IACS) throughout their lifecycle (which includes all automation and control systems; not just industrial). IACS includes more than the technology that comprises a control system; it also includes the people and work processes needed to ensure the safety, integrity, reliability, and security of the control system. Without people who are sufficiently trained; risk-appropriate technologies and countermeasures; and work processes throughout the security lifecycle, an IACS could be more vulnerable to cyberattacks.
Documents within the Series
Fourteen standards make up the ISA/IEC 62443 series
The ISA/IEC 62443 series builds on established standards for the security of general-purpose information technology systems (e.g., the ISO/IEC 27000 series), identifying and addressing the important differences present in Industrial Automation and Control Systems (IACS). Many of these differences are based on the reality that cybersecurity risks with IACS may have Health, Safety, or Environment (HSE) implications, and the response should be integrated with other existing risk management practices addressing these risks.
ISA99 Committee
About ISA99
The International Society of Automation (ISA) ISA99 Committee develops and maintains ISA/IEC 62443 standards. The ISA99 committee, Industrial Automation and Control Systems Security, and IEC Technical Committee 65 Working Group 10 (TC65 WG10) have cooperated in the development of the ISA/IEC 62443 series of standards and technical reports that defines the requirements for cybersecurity robustness and resilience at each stage of the lifecycle of industrial automation control systems (IACS). The final published documents are available from both IEC and ISA. The ISA editions of the standards and reports in the series have names of the form “ISA-62443-x-y,” while the IEC Editions appear as “IEC 62443-x-y.” The ISA and IEC editions of each document are released as close to concurrently as possible.
The United Nations Economic Commission for Europe (UNECE) confirmed at its annual meeting in late 2018 that it will integrate the widely used ISA/IEC 62443 series of standards into its forthcoming Common Regulatory Framework on Cybersecurity (CRF). The CRF will serve as an official UN policy position statement for Europe, establishing a common legislative basis for cybersecurity practices within the European Union trade markets.
At the same time, the UNECE’s Working Party on Regulatory Cooperation and Standardization Policies recognized the ISA99 standards development committee for its leading role in conceiving and developing the standards.
In April 2021, The NATO Energy Security Centre for Excellence and the ISA99 standards committee signed a letter of intent for cooperation in the exchange of information and possible collaboration on learning resources and activities.
The NATO Centre became interested in applying the ISA/IEC 62443 standards during a cyber risk study of the industrial control systems used in the NATO Central Europe pipeline system, pointed out by Vytautas Butrimas, who led the agreement for NATO and now represents the NATO Center on ISA99. “With this agreement,” he stated, “we look forward to exploring new ways of collaboration with ISA to improve the safety, reliability, and performance of the backbone technologies that support economic activity, national security, and [the] well-being of our societies.”
Scope of Work
The concept of industrial automation and control systems electronic security is applied in the broadest possible sense, encompassing all types of plants, facilities, and systems in all industries. Manufacturing and control systems include, but are not limited to:
- Hardware and software systems such as DCS, PLC, SCADA, networked electronic sensing, and monitoring and diagnostic systems.
- Associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes.
The ISA99 committee consists of several smaller working groups, each focused on a specific theme or topic.
ISA/IEC 62443 Resources
| Quick Start Guide to ISA/IEC 62443 | Download Resource |
| Overview of ISASecure® Certification for ISA/IEC 62443 | Download Resource |
| Guide to Security Lifecycles in ISA/IEC 62443 | Download Resource |
| IACS Taxonomy Glossary | Download Resource |
| IACS Principal Roles and Responsibilities | Download Resource |
| White Paper: Applying ISO/IEC 27001/2 and the ISA/IEC 62443 Series for Operational Technology Environments | Download Resource |
Your Guide to Cybersecurity Standards
Our Quick Start Guide offers a user-friendly overview and answers often-asked questions about the ISA/IEC 62443 series of standards.