The ISA/IEC 62443 series illustrates a comprehensive approach to security in the industrial domain, stressing the importance of:
- Applying risk-management methods whenever defining and handling both processes and technical features.
- Addressing all aspects of security as part of an integrated framework (including physical security, personnel security, cybersecurity).
This holistic approach originates from the need of serving the end user’s concerns (the Asset Owner’s perspective is central).
One of the cornerstones this approach is built on is the concept of “Security Levels” (SLs).
The ISA/IEC 62443 series introduces qualitative definitions for security levels (SL), characterized by the level of protection that is provided against attacks.
The ISA/IEC 62443 approach expects an Asset Owner to perform a risk assessment activity when defining the IACS for implementation. The outcome of this risk assessment activity is a “Target Security Level” (SL-T) for the IACS as a whole.
Based on this SL-T, the AO (with the aid of System Integrators), then, performs procurement of subsystems and components and implements the IACS in the specific destination environment. Each component and subsystem is characterized by a “Capability Security Level” (SL-C).
The system implementation is, then, evaluated by the AO to verify whether the “Achieved Security Level” (SL-A) meets the requirements previously set forth (checking whether SL-A is greater or equal to SL-T). Compensating countermeasures (both technical and procedural) are repeatedly applied at the system level or in processes and procedures until the goal is fully achieved.
Using components whose development process and technical contents are certified according to the ISA/IEC 62443 Tier 4 standards allows Asset Owners and System Integrators to perform their IACS integration, implementation and risk management activities more efficiently, more effectively and with a greater degree of confidence in the security of the resulting system.