1.1 The Structure and Contents of the ISA/IEC 62443 Series
The ISA/IEC 62443 series of standards is made up of 14 work products (Standards, Technical Specifications and Technical Reports) that are logically grouped in four tiers:
- Tier 1: General
- Tier 2: Policies and Procedures
- Tier 3: System
- Tier 4: Component
Additionally, the 62443 series introduces three roles:
- Asset Owner (AO): This is the end user and operator of an industrial automation control system.
- System Integrator (SI): This is the entity in charge of the integration and configuration of the subsystems and components that constitute an IACS and of its deployment in the intended environment.
- Product Supplier (PS): The manufacturer of an industrial product (an embedded device such as a PLC or an RTU, a network device such as a firewall, a host device such as a PC or a software application).
The first tier of the standard (62443-1), named “General”, includes those work products that are general in nature, introducing foundational concepts, models and terms that are used throughout the series. It includes 4 work products:
- 62443-1-1: Concepts and Models
- 62443-1-2: Master Glossary of Terms and Abbreviations
- 62443-1-3: System Security Conformance Metrics
- 62443-1-4: IACS Security Lifecycle and Use Cases
This first tier is equally relevant to all roles defined by the standard.
The second tier (62443-2), named “Policies and Procedures”, focuses on the people and processes aspects of an effective security program and its scope is that of addressing plant operations. It includes five work products:
- 62443-2-1: Security Program Requirements for IACS Asset Owners
- 62443-2-2: Implementation Guidance for an IACS Security Management System
- 62443-2-3: Patch Management in the IACS Environment.
- 62443-2-4: Requirements for IACS Solution Suppliers
- 62443-2-5: Implementation Guidance for IACS Asset Owners
This second tier is most relevant to Asset Owners.
The third tier (62443-3), named “System”, focuses on technology-related aspects of security for systems, describing the guiding principles for performing implementation and integration to achieve security. It includes 3 work products:
- 62443-3-1: Security Technologies for IACS
- 62443-3-2: Security Risk Assessment and System Design
- 62443-3-3: System Security Requirements and Security Levels
The fourth tier (62443-4), named “Component”, focuses on specific security-related requirements for products and components, covering both the technical contents of those products and the processes employed to manage them throughout their lifecycle. It includes two work products:
- 62443-4-1: Secure Product Development Lifecycle Requirements
- 62443-4-2: Technical Security Requirements for IACS Components
This fourth tier is most relevant to Product Suppliers. It is important to note that the content of Tier 4 was built with the goal of abstracting the component and its features from any specifics pertaining to the final automation project’s implementation (it is focused on the component’s capabilities).