Cyber Security Standard Defines Requirements for Industrial Automation and Control Systems

A series of standards is being developed by the International Society of Automation (ISA) ISA99 committee and adopted globally by the International Electrotechnical Commission (IEC) to provide a flexible framework to address and mitigate current and future vulnerabilities in industrial automation and control systems (IACS). A newly published standard in the series, ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels, addresses risks arising from the growing use of business information technology (IT) cyber-security solutions to address IACS cyber security in complex and dangerous manufacturing and processing applications, ISA reported in a press release.

IACS security goals typically focus on control system availability, plant protection, plant operations, and time-critical system response. IT security goals, in contrast, often focus more on protecting information than physical assets. For this reason, use of IT cyber-security solutions to address IACS security must be implemented knowledgably, explained ISA in the release. The new ISA99 standard addresses this concern with an approach to defining system requirements that is based on a combination of functional requirements and risk assessment and an awareness of operational issues.

ISA99 is applicable to all industry sectors and critical infrastructure. “The new standard represents a collaborative effort of experts from multiple industries around the world,” the ISA99 task group leader for the project, Jeff Potter of Emerson Process Management, said in the press release.

ANSI/ISA-62443-3-3-2013 was approved as an American National Standard on Aug. 13, 2013. An essentially identical version will be published by the IEC later this year as IEC 62443-3-3.