IEC-62443 Will be Integrated into the Common Regulatory Framework on Cybersecurity.

Recently, the International Society of Automation (ISA) has published the following news: “The United Nations Economic Commission for Europe (UNECE; Geneva, Switzerland) confirmed that it will integrate the widely used ISA/IEC 62443 series of standards into its forthcoming Common Regulatory Framework on Cybersecurity (CRF). The CRF will serve as an official UN policy position statement for Europe. At its recent annual meeting in Geneva, UNECE’s Working Party on”.

This is undoubtedly great news for all professionals concerned that industrial and critical infrastructure environments are becoming more secure and less vulnerable to the different existing threats.

The IEC 62443 standard is a set of standards based on the concepts defined by the ISA99 standard, which in turn proposes a series of documents that establish best practices and recommendations to increase the security of industrial control systems against cyber threats (mainly). With the purpose of aligning the nomenclature of ISA99 to the proposal made by the IEC, in 2010, ISA99 is renamed ANSI/ISA-62443 or IEC 62443.

The ISA 99 standard defines four specific documents and two technical reports. As can be seen in the following figure, this standard has been divided into four layers.

• The first, called General includes four documents. They propose the basic concepts and context on which the following layers of the standard are developed.
• The second, called Policies & Procedures also includes four documents. As its name indicates, it focuses on the definition of policies and procedures.
• The third layer is that of System and consists of three documents. It focuses on proposing best practices for the secure deployment of systems in industrial environments.
• Finally, the fourth layer, called Component includes two documents and addresses the requirements that manufacturers of industrial devices must meet to be considered Secured by Design.

All these documents are in different phases of development. As can be seen in the following, their status can be: published, published but under review, in development and planned.

Figure. ISA 99 Standard .

From the area of Industrial Cybersecurity consulting and engineering at Logitek, we frequently rely on the best practices proposed by IEC 62443 to carry out different types of interventions, among them, it is worth highlighting its use to carry out segmentation and fortification initiatives for networks and systems.

Within the document IEC 62443-1-1 Models and Concepts (which practically replicates the specification ANSI/ISA99.00.01 – Part 1: Terminology, Concepts and Models) the concepts of zone, conduit and channel are introduced. In environments as complex and extensive as industrial ones, it would not be logical to implement prevention, detection, response and recovery measures, and also develop specific controls, in the same way for all systems and/or process areas. For this reason, this document proposes a method to create areas that have the same security requirements and, on the other hand, proposes mechanisms for communication between these different areas to be carried out securely.

We leave you this link to the proceedings of the National Cybersecurity Conference (JNIC) held in Granada during 2016, in which we published the article “Design of zones, conduits and channels according to IEC 62443 (ISA99) in a 4.0 Industry”.

After reading it, I am sure that you will be able to understand much better what IEC 62443 brings to this particular problem.

If you need clarifications and/or more information, do not hesitate to contact us.