The ISA-62443 series of standards, developed by the International Society of Automation (ISA), is a comprehensive set of guidelines for ensuring the security of Industrial Automation and Control Systems (IACS).
ISA 62443-2-1:2009 is one specific standard within this series that focuses on establishing an industrial automation and control systems security system. Because many of these systems provide critical infrastructure, it is essential to protect them against any security incident that may disrupt operations. This blog details the assessments outlined in ISA 62443-2-1:2009 and why IACS should prioritize them.
Automate your security assessment questionnaires with UpGuard >
The ISA-62443 Series of Standards
The ISA-62443 standards detail IACS assessments that ensure organizations fully protect their critical systems against significant physical and digital threats. An IACS, or Industrial Automation and Control System, refers to a collection of networked systems used to operate and automate industrial processes.
Examples include Programmable Logic Controllers (PLCs), Distributed Control Systems (DCS), Supervisory Control and Data Acquisition (SCADA) Systems, Human-Machine Interfaces (HMIs), and Sensor Networks and Actuators.
Previously known as ISA99 standards, the ISA-62443 standards are essential for maintaining security in various industries. The standards provide a structured and systematic approach to securing industrial control systems critical in various sectors such as manufacturing, energy, water treatment, etc. The series includes:
- General Concepts and Models (ISA-62443-1): This section provides a foundation for the series, outlining definitions, concepts, and models used in IACS security.
- Establishing an Industrial Automation and Control Systems Security System (ISA-62443-2): This section focuses on creating and maintaining an IACS security program, including risk assessment, addressing vulnerabilities, and protective measures.
- System Security Requirements and Security Levels (ISA 62443-3): This section lists specific requirements for IACS security, defines security levels, and outlines requirements to reach those levels.
- Technical Requirements for IACS Components (ISA 62443-4): This section explains technical requirements for IACS components, like requirements for secure product development life cycles and system integrations.
Core Components of ISA 62443-2-1:2009
The second standard in the ISA 62443 series is focused on establishing an industrial automation and control systems security system. In particular, this standard outlines the elements of cybersecurity needed to manage an IACS and guides users to meet the requirements of each element.
This standard outlines four main areas IACS must prioritize, with specific elements within each to identify and evaluate.
- Security and Privacy Programs Assessment
- Infrastructure Security Assessment
- Physical & Data Center Security Assessment
- Application Security Assessment
Security and Privacy Programs Assessment
An information security and privacy program is a comprehensive set of policies, guidelines, and processes for identifying and addressing the threats and risks to company information and systems. For IACS, security and privacy program assessments are essential. This section of ISA 62443-2-1:2009 focuses on whether an organization has an established security program and, if not, outlines key areas to consider when creating one.
An established security and privacy program helps ensure customer information is kept safe. This standard assesses key areas, including:
- Security and Privacy: Established security programs and security controls
- Personnel Security: Access control, password protocols, confidentiality agreements, information security and privacy training for employees, etc.
- Compliance with Laws and Regulations: Process for identifying, documenting, and retaining relevant legislative, regulatory, and contractual requirements
Infrastructure Security Assessment
An infrastructure security assessment is a comprehensive evaluation of the physical and digital infrastructure of an IACS. Its purpose is to identify any vulnerabilities or potential points of failure that could be at risk for cyber threats.
IACS often utilize systems critical to various industrial processes, so any type of breach or failure could have devastating consequences (operational disruptions, safety hazards, etc). Therefore, this type of assessment helps understand the security posture and adequacy of existing security measures. Areas in this section of ISA-62443-2-1:2009 include:
- Network: System configuration management tools, firewalls, data encryption, segregated systems, continuous monitoring, etc.
- Servers: Processes for OS updates and patches, malware protection measures, etc.
- Clients (Workstation, Laptops, etc.): Standards for client systems, malware protection on client devices, personal access control, etc.
- Infrastructure Support Agreements: Support agreements for unsupported operation system versions
- Data Management: Separate environments for development, testing, and production
- Technical Security Testing: Penetration testing, vulnerability scanning, security testing, etc.
- Logging: Security-relevant event logging
- Asset Management: Up-to-date inventories, tracking employee/contractor/third party assets, etc
Physical & Data Center Security Assessment
The next area of ISA-62443-2-1:2009 focuses on physical and data center security. This assessment evaluates physical security measures that prevent unauthorized access to sensitive equipment and data centers where an entity stores the components and data of their IACS.
A comprehensive assessment identifies physical access controls, surveillance systems, and environmental controls. This assessment evaluates the security posture against cyber threats like hacking, malware, and data breaches for digital assets. This dual approach ensures robust physical and data center security and ongoing operations for IACS. Areas in this section include:
- Security at the Office: Physical measures like guards, motion detectors, CCTV, electronic access control, perimeter security, auto-locking of unattended equipment, etc.
- Data Center Security: Controlled access points, outage protocols, risk assessments, etc.
Application Security Assessment
Applications play a vital role in controlling, monitoring, and managing industrial processes in an IACS. Any vulnerability within these applications can lead to significant risks, such as operational disruptions, data breaches, and safety hazards.
Conducting a comprehensive security assessment of these applications can help identify and mitigate vulnerabilities, including coding flaws, inadequate encryption, or insecure APIs, which cyber attackers could exploit. It also evaluates the effectiveness of existing security protocols, like authentication and authorization mechanisms, and ensures compliance with industry standards and best practices. Areas in this section include:
- Vulnerability Reporting and Management: Processes for reporting vulnerabilities, customer notification, etc.
- Authentication and Authorization: Authentication services, password requirements, SSO mechanisms, etc.
- Software Development Lifecycle: Security-related requirements for applications, integrity and confidentiality of processed information, secure coding processes, etc.
- 3rd Party Dependencies: Security reviews of outsourcing providers
Accelerate Your Questionnaire Process with UpGuard
UpGuard BreachSight and VendorRisk automate your assessment process using our powerful built-in security questionnaires. Send standard templates or custom questionnaires to your vendors, configure questionnaire due dates, and set regular reminders to ensure vendors complete requests efficiently.
Risks are automatically identified on vendor responses, so you can request remediation or waive them. Collaborate with vendors on mitigating risks using the risk assessment workflow, correspond in-line for specific vendor responses using auditable, built-in messaging, or add internal notes.
Our Questionnaire Library references regulations and best practices from the cybersecurity industry, including:
- SIG Lite Questionnaire
- ISO 227001 Questionnaire
- Higher Education Community Vendor Assessment Tool (HECVAT) Questionnaire
- Health Insurance Portability and Accountability Act (HIPAA) Questionnaire
- NIST Cybersecurity Framework Questionnaire
- COBIT 5 Security Standard Questionnaire
- California Consumer Privacy Act (CCPA) Questionnaire
- CIS Controls 7.1 Security Standard Questionnaire
- PCI DSS Questionnaire
- Apache Log4J - Critical Vulnerability Questionnaire