The International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance (ISAGCA) are proud to announce that the International Electrotechnical Commission (IEC) has officially designated the IEC/ISA-62443 series of standards as “horizontal,” meaning they are proven to be applicable to a wide range of different industries.
According to the IEC decision, “IEC Technical Committee 65 (TC 65) publishes IEC-62443 for operational technology found in industrial and critical infrastructure, including but not limited to energy utilities, water management systems, healthcare, and transportation systems. These horizontal standards, also known as basic standards, are independent of technology. They can be applied in many technical areas.”
“The ISA99 committee of the International Society for Automation (ISA) and Working Group 10 of IEC Technical Committee 65 have been collaborating on the development of the ISA/IEC-62443 cybersecurity standards for the cybersecurity of industrial automation and control systems (IACS) for many years. While the intent has always been broad applicability, there has been a common perception that they were most appropriate for process industries such as chemicals and refining, “explained ISA99 Co-Chair Eric Cosman. “Despite that perception, there have been several examples of successful applications in other sectors, such as transportation, building automation, metals and mining, and discrete manufacturing. Ultimately, it’s better for users if they can rely on a set of independent industry standards.
The ISA/IEC-62443 series of standards is the only consensus-based global cybersecurity standard for control and automation system applications. These standards codify hundreds of years of operational technology and expertise in IoT cybersecurity. Using the ISA/IEC-62443 series of standards as a foundation, companies can focus on embracing security as part of the operations lifecycle, ensuring compliance with various aspects of standards in their supply chains, and including cybersecurity in operational risk management profiles.
“While this news may seem like a procedural detail, it will have significant implications,” Cosman said. “Several other IEC technical committees representing the needs and interests of specific sectors will presumably base their cybersecurity-related efforts on what is in the 62443 standards, focusing on defining how they should be interpreted and applied in a given set of circumstances. This will almost certainly lead to the creation of a set of sector-specific profiles for this purpose. To aid in this effort, TC65 WG10 is developing guidance on how to develop such profiles, rather than pursuing industry-specific and perhaps inconsistent standards. Guidelines, frameworks, training materials and other resources can also take a more general approach, incorporating the needs of many sectors”.
The designation of the ISA/IEC-62443 series as a horizontal standard will have many benefits for stakeholders:
- Asset owners who have a presence or exposure to more than one sector will be able to align their cybersecurity programs, leveraging ISA/IEC-62443 as the sole source for the fundamental principles and requirements of cybersecurity automation.
- Automation system suppliers will be able to certify their products for a wider range of applications, using a common set of conformity specifications based on 62443
- IEC TC 65 WG 10 and the ISA99 committee will be able to focus their efforts on collaboration and advancement of the standards’ series, especially around current demands in areas such as IIoT, sensor-level security, and supply chain risks.
- ISA’s Global Cybersecurity Alliance (ISAGCA) and its more than 50 member companies will partner with asset owners and vendors to build relevant, application-focused materials that enable companies across different sectors around the world to adopt and implement the standards’ suite at scale.
“Member companies of the ISA Global Cybersecurity Alliance have long believed in the broad applicability of the ISA/IEC-62443 series of standards,” said ISAGCA President Megan Samford. “We couldn’t be more excited to see this news from IEC, because it echoes and confirms the work we’ve done. This set of standards is the only comprehensive set of security practices and capabilities that can be applied to constantly assess and improve cybersecurity for operational technology systems, and our members are ready to help companies around the world successfully implement it.”