Overview of ISA 62443

and its Relationship to the

NIST Framework
John Cusimano, aeSolutions

Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
ISA99 Committee

• The International Society of Automation (ISA) Committee

on Security for Industrial Automation & Control Systems
(ISA99)
– 500+ members
– Representing companies across all sectors, including:
– Chemical Processing
– Petroleum Refining
– Food and Beverage
– Energy
– Pharmaceuticals
– Water
– Manufacturing
Our Scope

• “… industrial automation and control systems whose

compromise could result in any or all of the following
situations:
– endangerment of public or employee safety
– environmental protection
– loss of public confidence
– violation of regulatory requirements
– loss of proprietary or confidential information
– economic loss
– impact on entity, local, state, or national security”
Committee Work Products
NIST Framework and ISA

• The cybersecurity framework is not another standard.

Instead it is a high-level concept that brings together
relevant standards and sets them in an appropriate
context
• ISA was a major contributor
Framework Core

What assets need

protection?

What safeguards are

available?

What techniques can

identify incidents?

What techniques can

contain impacts of
incidents?

What techniques can

restore capabilities?

6
Framework Core – Common Categories
for Critical Infrastructure

Source: Framework for Improving Critical Infrastructure Cybersecurity

Framework Core - Sample

· CCS CSC 16
· COBIT 5 DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.3.5.1
PR.AC-1: Identities and credentials are managed for
authorized devices and users · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8,
SR 1.9
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
· NIST SP 800-53 Rev. 4 AC-2, IA Family
· COBIT 5 DSS01.04, DSS05.05
PR.AC-2: Physical access to assets is managed and · ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
protected · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9
Access Control (PR.AC): Access to assets and · COBIT 5 APO13.01, DSS01.04, DSS05.03
associated facilities is limited to authorized users, · ISA 62443-2-1:2009 4.3.3.6.6
PROTECT (PR)
processes, or devices, and to authorized activities
PR.AC-3: Remote access is managed · ISA 62443-3-3:2013 SR 1.13, SR 2.6
and transactions.
· ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1
· NIST SP 800-53 Rev. 4 AC‑17, AC-19, AC-20
· CCS CSC 12, 15
PR.AC-4: Access permissions are managed, · ISA 62443-2-1:2009 4.3.3.7.3
incorporating the principles of least privilege and · ISA 62443-3-3:2013 SR 2.1
separation of duties · ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4
· NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16
· ISA 62443-2-1:2009 4.3.3.4
PR.AC-5: Network integrity is protected, · ISA 62443-3-3:2013 SR 3.1, SR 3.8
incorporating network segregation where appropriate · ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1
· NIST SP 800-53 Rev. 4 AC-4, SC-7

Source: Framework for Improving Critical Infrastructure Cybersecurity

Committee Work Products
IEC/ISA 62443-02-01: Requirements for an IACS Security
Management System

• Formerly ANSI/ISA–99.02.01–2009, “Establishing an

Industrial Automation and Control Systems Security
Program”
• Focuses on how to create a security program for control
systems
• The program is integrated into a “Cyber Security
Management System” (CSMS)
• Details of the program are described by elements and
requirements for each element
• The elements and requirements are organized into three
main categories:
– Risk Analysis
– Addressing the Risk with CSMS
– Monitoring and Improving the CSMS
ISA-62443-2-1: Requirements for an IACS Security
Management System

Risk Analysis
Risk Identification,
Business
Classification &
Rationale
Assessment

Addressing Risk with the CSMS

Security Policy, Selected Security Implementation
Organization, and Countermeasures
Awareness
Personnel Risk Management
CSMS Scope
Security & Implementation

Physical & System

Organizational
Environmental Development &
Security
Security Maintenance

Staff Training & Information &

Network
Security Document
Segmentation
Awareness Management

Access Control:
Business Incident Planning
Account
Continuity Plan & Response
Administration

Security Policies & Access Control:

Procedures Authentication

Access Control:
Authorization

Monitoring & Improving the CSMS

Review, Improve,
Compliance & Maintain the
CSMS
Mapping the NIST Framework Categories
to ISA 62443-2-1

Risk Analysis
Risk Identification, ID.AM
Business
ID.BE Classification & ID.GV DE.CM
Rationale
Assessment
ID.RA

Addressing Risk with the CSMS

Security Policy, Selected Security Implementation
Organization, and Countermeasures
Awareness
Not Mapped:
PR.IP Personnel Risk Management
CSMS Scope ID.RM
Security & Implementation RC.RP

PR.MA PR.DS RC.CO

Physical & System PR.IP
ID.AM Organizational
PR.PT Environmental PR.IP Development &
Security DE.CM
ID.GV Security Maintenance
PR.AC DE.CM
Staff Training & Information & PR.IP
PR.AT Network
Security PR.AC Document PR.PT
Segmentation
ID.GV Awareness Management
PR.DS
PR.AC Access Control: PR.IP DE.AE RS.AN
Business Incident Planning
PR.IP Account
Continuity Plan PR.PT & Response PR.DS RS.RP RS.MI
Administration
DE.DP RS.CO RS.IM
ID.RM Security Policies & PR.AC
Access Control:
Procedures PR.PT Authentication
ID.GV
PR.MA
PR.AC Access Control:
PR.PT Authorization

Monitoring & Improving the CSMS

Review, Improve, ID.GV DE.AE RS.IM
PR.PT Compliance & Maintain the
CSMS PR.IP DE.DP RC.IM
ISA 62443-3-3: System Security
Requirements and Security Levels

• Approved and published by ISA in 2013

• Defines system-level security requirements
• Organized into 7 Foundation Requirements
• Requirements are assigned a Security Level (SL)
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
 Mapping the NIST Framework Categories
to ISA 62443-3-3
PR.AC
• FR 1 – Identification and authentication control
PR.PT
PR.AC
DE.AE
DE.CM RS.AN • FR 2 – Use control
PR.PT
PR.DS
PR.IP
PR.AC
DE.AE
DE.DP
DE.CM
RS.AN • FR 3 – System integrity
PR.PT PR.IP PR.DS
• FR 4 – Data confidentiality
PR.PT PR.DS RS.MI
• FR 5 – Restricted data flow
DE.DP DE.AE
DE.CM
RS.AN
RS.AN • FR 6 – Timely response to events
ID.AM PR.PT PR.IP PR.DS
• FR 7 – Resource availability
Not Mapped:
ID.BE PR.AT RS.RP RC.RP

ID.GV PR.MA RS.CO RC.IM

ID.RA RS.IM RC.CO

ID.RM
ISA-62443-2-1: Requirements for an IACS Security
Management System

Risk Analysis
Risk Identification,
Business
Classification &
Rationale
Assessment

Addressing Risk with the CSMS

Security Policy, Selected Security Implementation
Organization, and Countermeasures
Awareness
Personnel Risk Management
CSMS Scope
Security & Implementation

Physical & System

Organizational
Environmental Development &
Security
Security Maintenance

Staff Training & Information &

Network
Security Document
Segmentation
Awareness Management

Access Control:
Business Incident Planning
Account
Continuity Plan & Response
Administration

Security Policies & Access Control:

Procedures Authentication

Access Control:
Authorization

Monitoring & Improving the CSMS

Review, Improve,
Compliance & Maintain the
CSMS
ISA-62443-2-1: Requirements for an IACS Security
Management System

Risk Analysis
Risk Identification,
Business
Classification &
Rationale
Assessment

Addressing Risk with the CSMS

Security Policy, Selected Security Implementation
Organization, and Countermeasures
Awareness
Personnel Risk Management
CSMS Scope
Security & Implementation

Physical & System

Organizational
Environmental Development &
Security
Security Maintenance

Staff Training & Information &

Network
Security Document
Segmentation
Awareness Management

Access Control:
Business Incident Planning
Account
Continuity Plan & Response
Administration

Security Policies & Access Control:

Procedures Authentication

Access Control:
Authorization

Monitoring & Improving the CSMS

Review, Improve,
Compliance & Maintain the
CSMS
ISA-62443-2-1: Requirements for an IACS Security
Management System

Risk Analysis
Risk Identification,
Business
Classification &
Rationale
Assessment

Addressing Risk with the CSMS

Security Policy, Selected Security Implementation
Organization, and Countermeasures
Awareness
Personnel Risk Management
CSMS Scope
Security & Implementation

Physical & System

Organizational
Environmental Development &
Security
Security Maintenance

Staff Training & Information &

Network
Security Document
Segmentation
Awareness Management

Access Control:
Business Incident Planning
Account
Continuity Plan & Response
Administration

Security Policies & Access Control:

Procedures Authentication

Access Control:
Authorization

Monitoring & Improving the CSMS

Review, Improve,
Compliance & Maintain the
CSMS
ISA-62443-2-1: Requirements for an IACS Security
Management System

Risk Analysis
Risk Identification,
Business
Classification &
Rationale
Assessment

Addressing Risk with the CSMS

Security Policy, Selected Security Implementation
Organization, and Countermeasures
Awareness
Personnel Risk Management
CSMS Scope
Security & Implementation

Physical & System

Organizational
Environmental Development &
Security
Security Maintenance

Staff Training & Information &

Network
Security Document
Segmentation
Awareness Management

Access Control:
Business Incident Planning
Account
Continuity Plan & Response
Administration

Security Policies & Access Control:

Procedures Authentication

Access Control:
Authorization

Monitoring & Improving the CSMS

Review, Improve,
Compliance & Maintain the
CSMS
ISA-62443-2-1: Requirements for an IACS Security
Management System

Risk Analysis
Risk Identification,
Business
Classification &
Rationale
Assessment

Addressing Risk with the CSMS

Security Policy, Selected Security Implementation
Organization, and Countermeasures
Awareness
Personnel Risk Management
CSMS Scope
Security & Implementation

Physical & System

Organizational
Environmental Development &
Security
Security Maintenance

Staff Training & Information &

Network
Security Document
Segmentation
Awareness Management

Access Control:
Business Incident Planning
Account
Continuity Plan & Response
Administration

Security Policies & Access Control:

Procedures Authentication

Access Control:
Authorization

Monitoring & Improving the CSMS

Review, Improve,
Compliance & Maintain the
CSMS
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
Foundation Requirements

• Identification and Authentication Control (IAC)

– Control access to devices and/or information
• Use Control (UC)
– Control use of devices and/or information
• System Integrity (SI)
– Ensure the integrity of data
• Data Confidentiality (DC)
– Ensure the confidentiality of data
• Restrict Data Flow (RDF)
– Restrict the flow of data
• Timely Response to Events (TRE)
– Respond to security violations in a timely manner
• Resource Availability (RA)
– Ensure the availability of network resources
Summary

• The NIST Cybersecurity Framework (CSF) offers a

straightforward structure that can be applied to both IT
and ICS cybersecurity
• It maps to both IT security standards (e.g. ISO/IEC
27001) as well as ICS security standards (e.g. ISA/IEC
62443)
• The mapping to ISA/IEC 62443 is solid but has
limitations:
– Currently only maps to 2 approved standards (2-1, 3-3)
– Mapping is strongest in CSF  62443
– Many 62443 requirements do not map back to CSF
• Recommendation: Adopt the CSF structure for both IT an
ICS cybersecurity but utilize all of 62443 (not just the
clauses that map)