There are numerous options for cyber security frameworks and standards and choosing the right one for securing your operational technology (OT) can be a daunting task. The ISA/IEC 62443 series of standards has emerged as a prominent choice for organisations looking for a framework for implementing and maintaining security within industrial automation and control systems (IACS) and OT throughout their lifecycle.  

In this blog, we’ll delve deeper into the ISA/IEC 62443 standards, its features and advantages, and the standards’ prominence in Australia. By understanding the reasons why you may choose ISA/IEC 62443 over other alternatives, you can make an informed decision to enhance the cyber security of your critical infrastructure assets. 

What is the ISA/IEC 62443 

The ISA/IEC 62443 is a series of standards that define requirements and processes for implementing and maintaining security within industrial automation and control systems (IACS) and operational technology (OT) throughout their lifecycle. These standards provide a baseline for security best practices and a way to assess the level of security performance. With a holistic approach, it secures a link between OT, IACS, and safety and cyber security, to provide one of the most optimal and efficient approaches towards implementing OT cyber security. The ISA/IEC 62443 sets a benchmark for a broad range of industry sectors, such as transportation, energy, water, mining, medical, and manufacturing. 

ISA/IEC 62443 background 

The ISA/IEC 62443 standards were developed by the ISA99 committee and established by the International Society of Automation, recognising the need to secure equipment and operations within US critical infrastructure. Consequently, the standards were developed as part of a larger family of comprehensive standards created to address the issue of securing automation and control systems. This standard was later submitted and adopted for global adaptation to the International Electronical Commission (IEC). 

ISA/IEC 62443 standard within Australia 

Within Australia, the adoption of ISA/IEC 62443 is continually growing to address the cyber security needs of critical infrastructure and OT systems. The Australian Cyber Security Centre (ACSC), Australia’s government-leading agency for cyber security, has provided guidance and resources to implement IEC 62443-based security practices for industrial control systems. 

The Australian Department of Home Affairs and Cyber Infrastructure Security Centre drafted a consultation guidance document in 2022 to support engagement in their Critical Infrastructure Risk Management Program. This was intended to help those within the requirements to comply with the Security of Critical Infrastructure Act. The Security of Infrastructure Risk Management Program Rules commenced on 17 Feb 2023, requiring responsible entities to be compliant with the program under the act. ISA/IEC 62443 is a good cyber security standard to support organisations with improving risk management in their OT environments. 

Some industries in Australia, such as health with a focus on medical instruments, have been recommended to implement the standard, while some power transmission providers and generators in across Australia have announced the utilisation of the standard as part of their growth within the industry. Organisations within the Australian transportation sector have adopted the standard since 2018. As organisations that are a part of critical infrastructure are desirable targets for prevailing threat actors, such organisations have obtained certification within the IEC/ISA 62443 standard to provide further assurance and appropriate cyber security thus contributing to the security of Australia’s critical infrastructure assets that heavily rely on OT. 

An IEC 62443 certification is considered significant as it provides influence in supporting a defence-in-depth strategy. Multiple layers of security controls are employed to create a robust OT security posture that covers areas such as network segmentation, access control, encryption, intrusion detection and prevention, incident response, and security awareness training. Organisations of all sizes supporting OT as their core business can protect themselves against cyber threats through compliance with this standard. 

ISA/IEC 62443 structure 

The ISA/IEC 62443 series is comprised of nine standards that can be classified into four groups: general, policies and procedures, system, and component. These groups are supplemented with additional technical reports (TR) and technical specifications (TS).  

• The General category defines core terminology, concepts, and models. 
• The Policies and Procedures category defines methods and processes to establish IACS security that can carry throughout and maintain its lifecycle. 
• The System category focuses on the requirements for security at the system level for designs and risk assessments. 
• The Component category details the requirements for the IACS products developmental lifecycle and the maintenance.  

With these components, the standard gives guidance to those that choose to implement it by: 

• Establishing and defining the terms, concepts, and models for stakeholders responsible for control systems. 
• Helping organisations to determine the necessary security level to meet business and risk needs. 
• Setting common requirements for cyber security lifecycle methodology for product development to certify product and vendor development processes. 
• Defining risk assessment processes to protect, mitigate, and secure. 

Interested in uplifting your knowledge more? 

The ISA/IEC 62443 series of standards is a comprehensive and specialised framework for securing industrial automation and control systems (IACS) and operational technology (OT). Its holistic approach, integration of safety and cyber security, and broad industry acceptance make it an attractive choice for organisations seeking to fortify their critical infrastructure assets. By opting for ISA/IEC 62443 over other alternatives, organisations can benefit from its well-defined processes, risk assessment methodologies, and a structured approach to product development and maintenance.  

If you’re looking to deepen your understanding of ISA/IEC 62443 and other essential concepts in operational technology (OT) cyber security, OT-SAT can help. Our video-based OT cyber security awareness training platform is designed for OT engineers and operators working in OT environments, cyber security personnel and IT staff collaborating closely with OT teams, and corporate executives, CISOs, chief risk officers, and managers responsible for cyber security. OT-SAT offers valuable insights into OT cyber security, how OT operates, and how to secure your assets. Get in touch today for a demo to help you strengthen your understanding of OT cyber security practices and make informed decisions to safeguard your organisation’s critical infrastructure.