Skip to content

Four essential charts for understanding the fundamentals of Industrial Cybersecurity Management

The ISA99 is a series of standards developed by the International Society of Automation (ISA) that provides guidelines and best practices for securing industrial automation and control systems (IACS). This has now been adopted by the International Electrotechnical Commission (IEC) and is now referred to as the ISA/IEC 62443 series of standards. This adoption took place to ensure international harmonisation and recognition of the standards for IACS cybersecurity. The standard is also consistent with the more general ISO/IEC 27000 series of cyber security standards that provide guidelines for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). 

The ISA/IEC 62443 standard defines an IACS as a collection of personnel, hardware, software and policies involved in the operation of the industrial processes that can affect or influence its safe, secure and reliable operation. 

The IACS stakeholders span a wide range of people, from equipment suppliers – who develop  IACS components with security capabilities for use in integrated solutions to system integrators – who ensure that site-specific cybersecurity best practices are considered for the deployment of these IACS products and asset owners – who configure, deploy, operate, and maintain the IACS solutions in compliance with the approved cybersecurity guidelines of the facility. To establish an effective IACS cybersecurity that is consistent and robust, all stakeholders share responsibility during all phases of the assets lifecycle. 

These are four key charts that an organisation should be aware of when considering the management of cybersecurity for an Industrial facility like a manufacturing plant, a power plant or any other process facility. 

Chart 1 – The ISA/IEC 62443 Series of Standards

This series of standards contains documents that fall into one of four categories

  • General – This group of documents address topics that are common and introduces concepts and models, a glossary of terms and abbreviations, quantitive metrics and system requirements. It also covers the lifecycle of IACS cybersecurity, which is covered in Chart 2 in this blog. 
  • Policies and Procedures – This group of documents focuses on policies and procedures covering topics like methodologies for evaluation of protection level required from an IACS and guidance on patch management for an IACS. It also has specific documents focussed on end users/asset owners, IACS system integrators and IACS component suppliers.
  • System – This group of documents addresses IACS system design requirements from security risk assessments to evaluate the target security levels to the application of security technologies to meet the target security levels. 
  • Component Requirement – This includes documents that provide information about the more specific and detailed requirements associated with the development of IACS products. The suppliers of control systems products and their components embedded into the control system hardware are the target audience of this group.
ISA-62443
CHART 1 – ISA 62443 Series

Chart 2 – The Cybersecurity Lifecycle

The Cybersecurity lifecycle is covered within ISA/IEC 62443-1-4. The lifecycles can be split into 3 main phases listed below. Each phase contains activities related to the Target Security Level required for the IACS at the facility. Each phase is also associated with specific documentation for the ISA/IEC 62443 series. These are shown in brackets within the steps of the lifecycle.

ISA/IEC 62443 - Lifecycle
CHART 2 – ISA/IEC 62443 – Cybersecurity Lifecycle
  • The Assess Phase – Target Security Level (SL-T) are determined and assigned to zones and conduits of the IACS system. 
  • The Develop and Implement Phase –  In this phase, countermeasures are implemented by IACS system integrators and equipment suppliers to meet the Target Security Level (SL-T). Based on the various countermeasures implemented in the design, the IACS achieves a certain security level referred to as the Achieved Security Level (SL-A). 
  • The Maintain Phase – Here, the Asset Owners with support from the system integrator and product suppliers ensure that the Achieved Security Level (SL-A) is maintained to be better than or equal to the Target Security Level (SL-T). Countermeasures are audited and may need to be upgraded if necessary, to maintain Achieved Security Level (SL-A). 

Chart 3 – The Cybersecurity Management System

The Cyber Security Management System (CSMS) is used to determine and mitigate cybersecurity risks. The  ISA/IEC-62443-2-1 series contains a detailed and comprehensive description of the elements contained in a CSMS for use in industrial environments including the requirements for each element and guidance on how they can be met. Clause 4 of ISA/IEC 62443-2-1 is normative and contains elements of the CSMS. Annex A of ISA/IEC 62443-2-1  is informative and contains guidance for developing the elements of a CSMS, while Annex B is informative and describes the process of developing a CSMS.

ISA/IEC 62443 CSMS
CHART 3 – ISA/IEC 62443 Cybersecurity Management System

The CSMS comprises three main categories: 

  • Category A – Risk Analysis – The two elements in Risk Analysis cover establishing the Business Rationale with key stakeholders and performing the Risk Assessment to identify, classify and assess the risk. The Risk Assessment should aim to identify a list of risks the IACS that are prioritised based on the estimated likelihood and consequence of those risks.
  • Category B – Addressing the Risk – This contains 3 main groups of elements – 
    • The first group is  Security policy, organisation, and awareness documents the elements that fall within the scope of the CSMS and assign responsibilities for overall cybersecurity. In addition, this category incorporates providing staff and contractor personnel with adequate training and information to be aware of threats and weaknesses, and to have the ability to take remedial action if necessary.
    • The second group is selected security countermeasures. The activities in this group include personnel security, physical and environmental security, network segmentation, access control of account administration, authentication, and authorisation. 
    • The third group is Implementation. This is comprised of risk management and implementation, system development and maintenance, information and document management and incident planning and response.
  • Category C – Monitoring and improving the CSMS – This consists of the elements of Compliance and Reviewing, Improving, and Maintaining the CSMS. 

A crucial benefit of using a CSMS is maintaining the security level of IACS’ over their lifetime. It is observed that any security efforts are undertaken on a project basis, and system security deteriorates over time with the evolution of new threats and developments in the system architecture. Establishing a strong CSMS at a facility can help ensure that security measures are regularly assessed and kept up to date for the IACS deployed at the facility. The feedforvard article “Seven differences to consider when addressing cybersecurity for Industrial Control Systems“ provides an overview of some challenges for IACS cybersecurity management.

Chart 4 – The NIST Cybersecurity Framework

To address the protection of critical infrastructure, several organisations have proposed and developed guidelines and approaches that can be used to mitigate associated risks. One approach was initiated by Executive Order (EO) 13636 [1], “Improving Critical Infrastructure Cybersecurity,” which called for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to guide organisations to manage and reduce cybersecurity risks cost-effectively without placing additional regulatory requirements on businesses. 

The resulting NIST (National Institute of Standards and  Technology) Cybersecurity Framework, for Improving Critical Infrastructure Cybersecurity, Version 1.0 published in 2014 (Version 1.1 published in 2018)  created through collaboration between the government and the private sector, uses a common easy to understand language to address and manage cybersecurity risk. The Framework also complements NIST SP 800-82, Guide to Industrial Control Systems. 

The NIST Framework defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” 

The NIST CSF Core is shown below

NIST-Cybersecurity Framework
CHART 4 – NIST-Cybersecurity Framework Core

The Core consists of three parts: Functions, Categories, and Subcategories. The Core includes five high-level functions: Identify, Protect, Detect, Respond, and Recover. The next level down is the 23 Categories that are split across the five Functions. Subcategories are the deepest level of abstraction in the Core.  There are 108 Subcategories, which are outcome-driven statements that provide considerations for creating a new CSMS or improving the cybersecurity program by complementing an organisation’s existing CSMS. 

In addition to the core, the framework contains Implementation Tiers and Profiles. There are 4 tiers – Partial, Risk Informed, Repeatable and Adaptive. These Tiers describe how well an organisation’s CSMS addresses the functions defined in the CSF. 

The Framework Profile is used to identify where an organisation’s CSMS is currently placed against the recommendations of the CSF. The outcome of the gap analysis can be used to define the Target profile that the organisation desires to achieve by optimal use of the CSF guidelines.

The NIST Cybersecurity Framework is an approach to standardise the organisation’s CSMS and can also Profile and benchmark its current security operations. In addition, NIST CSF’s informative references consist of globally recognised standards for cybersecurity. One of those standards is the ISA/IEC 62443’s. The elements of the ISA/IEC 62443 CSMS described in Chart 3 can be mapped to specific categories of the NIST CSF. This mapping is demonstrated in an article published in ISA’s InTech magazine.[5]

In conclusion, understanding the ISA/IEC 62443 series of standards, the cybersecurity lifecycle, the elements of a CSMS, and the NIST CSF are essential for comprehending IACS cybersecurity fundamentals. These charts provide a visual representation of the key concepts and can help organisations in industrial facilities, such as manufacturing plants or power plants, in effectively managing cybersecurity risks and implementing robust cybersecurity measures. By following these standards and best practices, organisations can enhance the security and reliability of their IACS systems and protect against cyber threats.

  1. Seven differences to consider when addressing cybersecurity for Industrial Control Systems

References

  1. Executive order – Improving Critical Infrastructure Cybersecurity
  2. Global Cybersecurity Alliance – Structuring the ISA/IEC 62443 standards
  3. ISA Publication – ISA/IEC 62443 Series of Standards
  4. Components of the NIST Cybersecurity Framework
  5. SAGCA Responds to NIST Call for Standards to Fulfill Executive Order 14028
Tags: