Operational technology (OT) risks have become an increasing concern to organizations due to the crucial role OT plays in supporting industrial operations and infrastructure. Cyberattacks such as malware and ransomware attacks can damage industrial control systems (ICS) and disrupt critical services such as healthcare, energy, and transportation.
To enhance the security of OT systems, the ISA/IEC 62443 series of standards was developed to set requirements and best practices for implementing and maintaining industrial automation and control systems (IACS). This article will guide you through the components of the ISA 62443 Part 3-2, Part 3-3, and Part 2-1 standards to help you effectively manage risks and ensure secure and reliable operations within your organization. Read on to learn more:
What is the importance of OT risk management?
Operational technology refers to hardware and software systems that monitor or control physical devices and infrastructure as well as industrial processes and systems. OT systems such as ICS, Programmable Logic Controllers (PLCs), and Supervisory Control and Data Acquisition (SCADA) systems are used to control how machines function and are vital in manufacturing, energy and utilities, and other critical sectors.
Aside from being key to critical services and infrastructure, operational technology often runs on legacy systems while integrating with various IT networks, making it vulnerable to cyberattacks. Managing these risks enables organizations to protect their OT systems against cybersecurity threats and prevent catastrophic impacts on essential functions.
The 62443 standards by the International Society of Automation (ISA) can help organizations assess and improve the security performance of their IACS, enabling them to align their security practices to global standards and cybersecurity benchmarks across industrial sectors. ISA 62443 standards integrate the disciplines of process safety, cybersecurity, and information technology to create a holistic framework for managing operational technology risks.
ISA 62443 cybersecurity standards
With the goal of addressing cybersecurity in industrial environments, ISA 62443-3-2, 62443-3-3, and 62443-2-1 serve as complementary frameworks that provide security requirements for managing an IACS. Let’s take a look at each of them and their components:
ISA 62443 Part 3-2
The ISA 62443 Part 3-2 standard covers security risk assessment for the system design of industrial control systems. It outlines a comprehensive process for conducting cybersecurity risk assessments for an IACS, splitting it into two parts.
The first part, which is the initial risk assessment, consists of steps such as segmenting the system into security zones and conduits and performing an initial cybersecurity risk assessment, indicating required inputs such as system inventory and corporate risk criteria. Once the initial risk results are determined, the second part of the process, which is a detailed risk assessment, is performed for risks that exceed tolerable levels. Its steps include identifying threats, their likelihood, and possible consequences of compromise, assessing countermeasures, and creating an in-depth risk assessment report.
Main requirements of the standard include:
- Defining the control system under consideration (SUC) by examining initial system architecture diagrams, company policies, regulations, and risk tolerance, identifying external support and services needed for the IACS
- Partitioning the SUC into zones and conduits based on data flows and system architecture. An industrial control system consists of zones, which are groups of assets or sub-systems that are physically or functionally connected and share common security requirements, as well as conduits, which are communication channels linking two or more zones.
- Assessing the risk for each zone and conduit by identifying threats and vulnerabilities and evaluating their likelihood and impact. This involves reviewing security incident history, prior audits, cyber process hazard analyses (PHAs), and other risk assessments and threat information sources.
- Establishing target security levels (SL-T) for each zone and conduit through a corporate risk matrix that determines the organization’s risk tolerance level
- Documenting the security requirements needed by the organization to design, implement, operate, and maintain effective security measures to manage risks
What makes ISA 62443 Part 3-2 highly beneficial is that it helps organizations identify and assess potential security risks based on the IACS design, highlighting the importance of incorporating security considerations into the system design phase. Overall, the standard provides a systematic approach to risk assessment that can empower organizations to establish OT cybersecurity risk management processes and measures tailored to specific system security requirements.
ISA 62443 Part 3-3
On the other hand, ISA 62443-3-3-2013 focuses on system security requirements and security levels for an IACS. It details technical security requirements (SR) as well as requirement enhancements (RE)—which function as controls—designed to meet the seven foundational requirements (FR) for an industrial control system, as defined by the standard:
- Identification and authentication control – Grant authorization to different users (humans, software processes, and devices) to access the system under consideration.
- Use control – Enforce privileges for different users who have access to the SUC.
- System integrity – Prevent any unauthorized changes to the system.
- Data confidentiality – Protect data at rest and in transit from unauthorized disclosure.
- Restricted data flow – Restrict communication between zones and conduits within the IACS.
- Timely response to events – Monitor IACS components to enable timely detection, evidence collection, response, and reporting of security incidents to the proper authorities.
- Resource availability – Ensure that system components will continue to provide essential functions to maintain operational continuity amidst disruptions.
Examples of SRs and REs include multi-factor authentication for all networks (under identification and authentication control), use control for portable and mobile devices (under use control), malicious code protection (under system integrity), and network segmentation (under restricted data flow).
ISA 62443 Part 3-3 also specifies different security levels for industrial control systems. A security level is defined by the standard as a measure of confidence that the SUC is free from vulnerabilities and functions as intended. The standard also assigns corresponding security requirements for each level:
|
Security levels |
|
System security requirements |
|
SL 0 |
No protection necessary for the system under consideration |
No security requirements |
|
SL 1 |
Protection of the SUC against casual or coincidental security breaches |
Security requirements for basic threats |
|
SL 2 |
Protection of the SUC against intentional security breaches carried out using simple methods with low resources, generic skills, and low motivation |
Security requirements for moderate threats |
|
SL 3 |
Protection of the SUC against intentional security breaches carried out using sophisticated methods with moderate resources, system-specific skills, and moderate motivation |
Security requirements for sophisticated threats |
|
SL 4 |
Protection of the SUC against intentional security breaches carried out using sophisticated methods with extended resources, system-specific skills, and high motivation |
Security requirements for advanced threats |
Combining all these components, ISA 62443 Part 3-3 maps each system requirement and requirement enhancement to the applicable security level. For example, as shown in the table below, the system requirement of account management applies to all security levels for a system under consideration. Meanwhile, the requirement enhancement: unified account management, only satisfies security levels 3 and 4 as it is a security measure designed to address sophisticated and advanced threats:
Essentially, ISA 62443 Part 3-3 provides the components necessary to fulfill the requirements of ISA 62443 Part 3-2. It outlines the different security requirements or mitigation measures needed as an output of the risk assessment in Part 3-2. At the same time, the security levels in Part 3-3 enable organizations to determine their target security levels for each zone, which is another requirement of ISA 62443 Part 3-2.
ISA 62443 Part 2-1
Recently updated in 2024, the ISA 62443-2-1 standard specifies security program requirements for IACS asset owners. It covers requirements for establishing an IACS security program, encompassing policy, procedure, practice, and personnel-related requirements. A security program (SP) refers to the allocation, implementation, and maintenance of human, procedural, and technological capabilities necessary to reduce the cybersecurity risk of an industrial control system.
ISA 62443 Part 2-1 is intended for asset owners or those who are responsible for designing and implementing the security program and operating the IACS. According to the standard, an IACS security program must address the entire lifecycle of the system, incorporating policies and procedures for requirements that may not be applicable to legacy systems, such as security patches. It must also include security requirements for product suppliers, system integrators, maintenance service providers, and other third parties making up the organization’s supply chain.
Responsibilities of an asset owner include:
- Establishing, implementing, maintaining, and continuously improving the IACS security program
- Partitioning the industrial control system into zones and conduits and performing associated risk assessments
- Documenting IACS security requirements
- Procuring products and services to help meet security requirements
- Operating and maintaining the IACS
- Assessing the effectiveness of the IACS security program
The standard also establishes a maturity model, which consists of maturity levels that measure whether security program requirements related to policy, procedure, process, and personnel are met:
|
Level 1: Initial |
Product development is typically ad hoc and undocumented, limiting consistency and repeatability |
|
Level 2: Managed |
Product development is managed using written policies, with processes defined and personnel properly trained or equipped with expertise to execute procedures |
|
Level 3: Defined |
All processes are repeatable and in practice across the organization with documented evidence |
|
Level 4: Improving |
Process metrics are used to evaluate control effectiveness and performance, facilitating continuous improvement |
Part 3-2, Part 3-3, along with all the other standards in the ISA 62443 series derive their requirements from Part 2-1 and expand on its components.
Overall, ISA 62443 Part 3-2, Part 3-3, and Part 2-1 work hand in hand in equipping organizations with robust risk management processes and security measures for the adequate protection of industrial control systems from various threats, ensuring operational resilience.
Streamline operational technology risk management with 6clicks
Effortlessly align with global standards for OT cybersecurity risk management through the 6clicks platform. Leverage complete cyber risk management and security compliance capabilities to help you implement the requirements of ISA 62443 Part 3-2 and Part 3-3.
Use our systematic Risk Registers to easily conduct thorough risk assessments for your IACS and then implement, test, monitor, and report on the performance of controls or system security requirements using 6clicks’ powerful Controls module and continuous control monitoring feature.
You can also catalog and categorize your identified zones and conduits as assets under the Assets Register and easily link them to their associated risks and vulnerabilities within the platform, facilitating seamless risk management workflows.
Lastly, generate custom reports on risk assessments, control implementation, and other risk management activities to maintain complete and up-to-date documentation of your IACS security program.
Explore 6clicks by scheduling a demo below.
Written by Jami Samson
Jami is a seasoned Technical Writer at 6clicks, where she harnesses her extensive experience in domains such as information technology, artificial intelligence, and GRC to craft high-quality content. Having worked in the marketing field since 2017, she has established a solid background in copywriting and content writing and is skilled in translating complex topics into informative and engaging pieces. Apart from writing, Jami is also passionate about music.
