Over the next couple of blogs, I plan to map out the importance of ISA/IEC-62443/ISA-99 based cybersecurity and how it applies to your work environment. I'll also explain some of our services so that you can see what might pertain to you.
For part 1, I started from the beginning and outlined what exactly ICS cybersecurity is and why it is important.
For part 2, I explained the difference between IT vs. ICS cybersecurity and differing the security focus between IT and ICS.
In this blog, I will explain the structure of the standards that pertain to ICS cybersecurity.
Control System Security Layers of Responsibility
Today everyone’s involved with security, from the people who are originally designing and building the systems, the Emersons, Yokagawas, the ABBs of the world, all the way to the end user. They all have a stake. They all have a responsibility to make sure that security is built-in, applied, tested, and maintained as the system goes out to be run and they are running it.
ISA / IEC 62443 Structure
Most of what we do falls under the guidelines of the ISA / IEC62443 structure. It used to be called the S99. The S99 is now the group. They developed a series of documents pertaining to the categories, general policy procedures, systems, and components. Different documents relate to different areas. The ones we use the most are the 2-1 which is developing an ICS management system. That’s the one we draw most of our information out of.
Requirements from ISA-99 (IEC 62443-2-1)
The original series of documents was called ISA99. They reformatted and rewrote them into the 62443 series of documents. These tables were originally written in the 99 series and the only reason I keep them in here, and this is a true story, is because they're easier to see.
The newer documents have a lot of verbiage and it's a lot tougher to glean what you need to get out of the documents whereby going back to these it's actually listed very nicely so it's easy to use. If you look in them you'll find the same information.
Part of what they say in ISA-99 (IEC 62443-2-1) is to select a methodology. The assessment background is, you're telling people why you're doing this, what's the benefit of it. Conduct a high level risk assessment, identify the control systems that you're going to do something with, you're going to do the assessments too, you're going to apply your procedures, too.
- Develop your network diagrams. Which are your most important systems? Which ones, if compromised, will cause the most damage or injury, etc?
- Perform the detailed vulnerability assessment.
- Identify a detailed risk assessment methodology
- conduct a detailed risk assessment, how often you're going to do it, etc., etc.
In the next part of this blog, I will focus on control system assessments and when should you perform them.