1 About ISA/IEC 62443

ISA/IEC 62443 is a series of standards, technical specifications and technical reports totalling about 800 pages that came to be from an initiative of the International Society of Automation (ISA) Committee on Security for IACS (ISA99) in 2007, and was later produced by the International Electrotechnical Commission (IEC).

ISA/IEC 62443 is meant to address the security needs of industrial automation and control systems that make use of operational technology (OT) and that have increasingly been facing cyberattacks over the past few years. The consequences are diverse, spanning from the compromise of high value assets that are strategic for national safety (e.g., outages in energy distribution, transportation networks or healthcare industries), to the loss of revenue (e.g., manufacturing), to directly jeopardizing human lives (e.g., electrocution, chemical product exposure, fatal equipment failure, etc.).

These security needs and the threats they arise from are not aligned to those of more traditional information technology (IT) systems due to the many differences in the characteristics of the two types of systems, in terms of:

• Performance requirements (such as throughput or response time)
• Availability requirements (tolerance to outages, need for continuous operation, plant certifications, etc.)
• Operating environment characteristics (e.g., type of operating system used, technology refresh rate, system upgradeability)
• Risk management goals (fault tolerance, prevention of negative HSE consequences)

As a result of all these particularities, the existing security standards that were originally developed for applying to the IT context (such as those belonging to the ISO 27000 series) are not suited to efficiently nor effectively address IACS security requirements.