1.1 The Structure and Contents of the ISA/IEC 62443 Series

The ISA/IEC 62443 series of standards is made up of 14 work products (Standards, Technical Specifications and Technical Reports) that are logically grouped in four tiers:

  • Tier 1: General
  • Tier 2: Policies and Procedures
  • Tier 3: System
  • Tier 4: Component

Additionally, the 62443 series introduces three roles:

  • Asset Owner (AO): This is the end user and operator of an industrial automation control system.
  • System Integrator (SI): This is the entity in charge of the integration and configuration of the subsystems and components that constitute an IACS and of its deployment in the intended environment.
  • Product Supplier (PS): The manufacturer of an industrial product (an embedded device such as a PLC or an RTU, a network device such as a firewall, a host device such as a PC or a software application).

The first tier of the standard (62443-1), named “General”, includes those work products that are general in nature, introducing foundational concepts, models and terms that are used throughout the series. It includes 4 work products:

  • 62443-1-1: Concepts and Models
  • 62443-1-2: Master Glossary of Terms and Abbreviations
  • 62443-1-3: System Security Conformance Metrics
  • 62443-1-4: IACS Security Lifecycle and Use Cases

This first tier is equally relevant to all roles defined by the standard.

Figure 1-1. ISA/IEC 62443 Tier Structure

The second tier (62443-2), named “Policies and Procedures”, focuses on the people and processes aspects of an effective security program and its scope is that of addressing plant operations. It includes five work products:

  • 62443-2-1: Security Program Requirements for IACS Asset Owners
  • 62443-2-2: Implementation Guidance for an IACS Security Management System
  • 62443-2-3: Patch Management in the IACS Environment.
  • 62443-2-4: Requirements for IACS Solution Suppliers
  • 62443-2-5: Implementation Guidance for IACS Asset Owners

This second tier is most relevant to Asset Owners.

The third tier (62443-3), named “System”, focuses on technology-related aspects of security for systems, describing the guiding principles for performing implementation and integration to achieve security. It includes 3 work products:

  • 62443-3-1: Security Technologies for IACS
  • 62443-3-2: Security Risk Assessment and System Design
  • 62443-3-3: System Security Requirements and Security Levels

The fourth tier (62443-4), named “Component”, focuses on specific security-related requirements for products and components, covering both the technical contents of those products and the processes employed to manage them throughout their lifecycle. It includes two work products:

  • 62443-4-1: Secure Product Development Lifecycle Requirements
  • 62443-4-2: Technical Security Requirements for IACS Components

This fourth tier is most relevant to Product Suppliers. It is important to note that the content of Tier 4 was built with the goal of abstracting the component and its features from any specifics pertaining to the final automation project’s implementation (it is focused on the component’s capabilities).