ISA-IEC-62443 Questions and Answers

In the OSI model, the Data Link layer (Layer 2) is responsible for error detection/correction and for assigning and handling MAC (Media Access Control) addresses, which are unique identifiers for network interfaces. This layer ensures reliable transmission of data frames between devices on the same local network. The Network layer (Layer 3) handles IP addressing and routing, not MAC addresses.

The NIST CSF is a voluntary framework that provides a set of standards, guidelines, and best practices to help organizations manage cybersecurity risks. The NIST CSF consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function is further divided into categories and subcategories that describe specific outcomes and activities. The NIST CSF also provides informative references that link the subcategories to existing standards, guidelines, and practices that can help organizations achieve the desired outcomes. The informative references are not mandatory or exhaustive, but rather serve as examples of possible sources of guidance. The ISA 62443 standards are used as informative references in the NIST CSF v1.0 for several subcategories, especially in the Protect and Detect functions. The ISA 62443 standards are a series of standards that provide a framework for securing industrial automation and control systems (IACS). The ISA 62443 standards cover various aspects of IACS security, such as terminology, concepts, requirements, policies, procedures, and technical specifications. The ISA 62443 standards are aligned with the NIST CSF in terms of the core functions and the risk-based approach. Therefore, the ISA 62443 standards can provide useful guidance and best practices for organizations that use IACS and want to implement the NIST CSF. References:

NIST Cybersecurity Framework - Official Site1

Framework for Improving Critical Infrastructure Cybersecurity - Version 1.02

ISA/IEC 62443 Standards - Official Site3

ISA/IEC 62443 Compliance & Scoring | Centraleyes4

The selection of countermeasures is driven by the output from a risk assessment, which identifies the risks and their associated likelihood and consequences for each zone and conduit in the industrial automation and control system (IACS). The risk assessment also determines the target security level (SL-T) for each zone and conduit, which represents the desired level of protection against the identified threats. The countermeasures are then selected based on the SL-T and the existing security level (SL-A) of the zone and conduit, as well as the cost and feasibility of implementation. The countermeasures should aim to reduce the risk to an acceptable level by increasing the SL-A to meet or exceed the SL-T. References: ISA/IEC 62443-3-2:2018 - Security risk assessment for system design, ISA/IEC 62443-3-3:2013 - System security requirements and security levels, ISA/IEC 62443 Cybersecurity Fundamentals Specialist Training Course

 Access control is the process of granting or denying specific requests to obtain and use information and related information processing services. It is one of the foundational requirements (FRs) of the ISA/IEC 62443 standards for securing industrial automation and control systems (IACSs). According to the ISA/IEC 62443-3-3 standard, access control includes the following system requirements (SRs):

SR 1.1: Identification and authentication control

SR 1.2: Use control

SR 1.3: System integrity

SR 1.4: Data confidentiality

SR 1.5: Restricted data flow

SR 1.6: Timely response to events

SR 1.7: Resource availability

Among these SRs, the ones that are most related to the critical variables of account management and password strength are SR 1.1 and SR 1.2. SR 1.1 requires that the IACS shall provide the capability to uniquely identify and authenticate all users, processes, and devices that attempt to establish a logical connection to the system. This means that the IACS should have a robust account management system that can create, modify, delete, and monitor user accounts and their privileges. It also means that the IACS should enforce strong password policies that can prevent unauthorized access or compromise of user credentials. Password strength refers to the level of difficulty for an attacker to guess or crack a password. It depends on factors such as length, complexity, randomness, and uniqueness of the password.

SR 1.2 requires that the IACS shall provide the capability to enforce the use of logical connections in accordance with the security policy of the organization. This means that the IACS should have a mechanism to control the access rights and permissions of users, processes, and devices based on their roles, responsibilities, and needs. It also means that the IACS should have a mechanism to audit and log the activities and events related to access control, such as successful or failed login attempts, password changes, privilege escalations, or unauthorized actions.

Therefore, account management and password strength are the critical variables related to access control, as they directly affect the identification, authentication, and authorization of users, processes, and devices in the IACS.

 According to the ISA/IEC 62443 Cybersecurity Fundamentals Specialist resources, patches are software updates that fix bugs, vulnerabilities, or improve performance of a system. Patches are classified into three categories based on their urgency and impact: low, medium, and high. Low priority patches are those that have minimal or no impact on the system functionality or security, and can be applied at the next scheduled maintenance. Medium priority patches are those that have moderate impact on the system functionality or security, and should be applied within a reasonable time frame, such as three months. High priority patches are those that have significant or critical impact on the system functionality or security, and should be applied as soon as possible, preferably at the first unscheduled outage. Applying patches in a timely manner is a best practice for maintaining the security and reliability of an industrial automation and control system (IACS). References:

ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, Section 4.3.2, Patch Management

ISA/IEC 62443-2-1:2009, Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program, Clause 5.3.2.2, Patch management

ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels, Clause 4.3.3.6.2, Patch management

Role-based access control (RBAC) is a method of restricting access to resources based on the roles of individual users within an organization. RBAC assigns permissions and responsibilities to roles, rather than to individual users, and then assigns users to those roles. This way, users can only perform the actions that are relevant and necessary for their role, and not access or modify any other resources that are beyond their scope of authority. RBAC is one of the security countermeasures that can be implemented in a defense-in-depth strategy, which is a layered approach to protect industrial automation and control systems (IACS) from cyber threats. RBAC can help prevent unauthorized access, misuse, or sabotage of IACS resources, as well as reduce the risk of human error or insider attacks.

The Triton (also known as Trisis) malware specifically targeted and compromised Safety Instrumented Systems (SIS), disabling the emergency shutdown capabilities at a petrochemical plant. This attack demonstrated that safety systems, once considered isolated and secure, are vulnerable to sophisticated, targeted cyberattacks. Neither Zeus, Stuxnet, nor WannaCry had this specific impact on emergency shutdown safety systems.

Security Levels (SLs) are a way of expressing the security performance of an industrial automation and control system (IACS) or its components. SLs are broken down into three types: target, capability, and achieved1.

Target SL is the level of security performance that is required for a system or component to protect against a specific threat scenario. The target SL is determined by conducting a risk assessment that considers the likelihood and impact of potential security incidents1.

Capability SL is the level of security performance that a system or component can provide based on its design and implementation. The capability SL is determined by evaluating the security functions and features of the system or component against a set of security requirements1.

Achieved SL is the level of security performance that a system or component actually provides in its operational environment. The achieved SL is determined by verifying that the system or component is properly installed, configured, maintained, and monitored1.

Malware incidents are cited in ISA/IEC 62443 documentation and industry case studies as one of the primary causes of cyber-related production losses in process control environments. Such incidents can result in equipment shutdowns, process interruptions, and loss of visibility or control, leading directly to financial and operational impacts. While human error and hardware failure are also causes of downtime, in the context of “cyber-related” incidents, malware is the main contributor.

According to the ISA/IEC 62443-3-2 standard, implementing countermeasures is one of the steps in the security risk assessment for system design. The standard defines a comprehensive set of engineering measures to guide organizations through the process of assessing the risk of a particular industrial automation and control system (IACS) and identifying and applying security countermeasures to reduce that risk to tolerable levels. The standard recommends the following steps for implementing countermeasures:

Establish the risk tolerance: This step involves determining the acceptable level of risk for the organization and the system under consideration, based on the business objectives, legal and regulatory requirements, and stakeholder expectations. The risk tolerance can be expressed as a target security level (SL-T) for each zone or conduit in the system.

Select common countermeasures: This step involves selecting the appropriate security countermeasures for each zone or conduit, based on the SL-T and the existing security level (SL-A) of the system. The standard provides a list of common countermeasures for each security level, covering the domains of physical security, network security, system security, and application security. The selected countermeasures should be documented and justified in the security risk assessment report. References: ISA/IEC 62443 Cybersecurity Series Designated as IEC Horizontal Standards, Cybersecurity Risk Assessment According to ISA/IEC 62443-3-2

ISA/IEC 62443-3-3 provides the list of Foundational Requirements (FRs) for IACS cybersecurity, mapping security controls to each FR to address risks identified during the risk assessment process. The seven FRs include: Identification & Authentication Control (IAC), Use Control (UC), System Integrity (SI), Data Confidentiality (DC), Restricted Data Flow (RDF), Timely Response to Events (TRE), and Resource Availability (RA).

Monitoring and improving a Cybersecurity Management System (CSMS) as per ISA/IEC 62443 standards involves several key activities that ensure the system remains effective and responsive to emerging threats. Two critical elements of this ongoing process are:

A. Increase in staff training and security awareness: Regular training and increasing security awareness among staff are vital to maintaining a secure operating environment. This proactive measure helps in reducing human error and enhancing the ability to respond effectively to cybersecurity incidents.

D. Review of system logs and other key data files: Continuous review and analysis of system logs and other relevant data files are essential for detecting, investigating, and responding to potential security incidents. This monitoring helps in identifying anomalies that may indicate a security breach or operational issues needing attention.

The asset model is used in ISA/IEC 62443 to represent and describe the relationships and dependencies between different assets in an IACS environment. This model helps organizations identify and document assets, their interconnections, and their significance for operational and cybersecurity purposes. The zone model builds upon the asset model for segmentation, but the asset model itself establishes the foundational relationships.

The four documents classified under the General category of ISA/IEC 62443 are:

Part 1-1: Terminology, concepts, and models

Part 1-2: Master glossary of terms and definitions

Part 1-3: System security conformance metrics

The ISA/IEC 62443 standards are divided into four main groups: General, Policies and Procedures, System, and Component. The first group, “General,” includes foundational standards and technical reports that provide essential concepts, models, terminology, and overall guidance for the rest of the series. This includes parts such as 62443-1-1 (concepts and models), 1-2 (glossary), 1-3 (metrics), and 1-4 (security lifecycle and use cases).

ISA/IEC 62443-2-1 emphasizes the importance of the ongoing evaluation of organizational responsibilities and training as part of continuous improvement within the CSMS. Periodic assessment ensures that personnel remain aware of their roles, are adequately trained, and that the program adapts to changes in the environment, technology, or threat landscape. The standard discourages keeping responsibilities static or expanding without control; instead, it advocates for regular reviews and updates.

ISA/IEC 62443-3-2 is titled “Security risk assessment for system design” and provides a methodology for performing cybersecurity risk assessments and for the design of security zones and conduits within IACS. It describes how to identify assets, assess threats and vulnerabilities, assign Security Levels (SLs), and develop a security design based on risk.

One of the trends that has increased the security risks for industrial automation and control systems (IACS) is the integration of these systems with business and enterprise systems, such as enterprise resource planning (ERP), manufacturing execution systems (MES), and supervisory control and data acquisition (SCADA). This integration exposes the IACS to the same threats and vulnerabilities that affect the business and enterprise systems, such as malware, denial-of-service attacks, unauthorized access, and data theft. Moreover, the integration also creates new attack vectors and pathways for adversaries to compromise the IACS, such as through remote access, wireless networks, or third-party devices. Therefore, the integration of IACS with business and enterprise systems is a trend that has caused a significant percentage of security vulnerabilities. References: ISA/IEC 62443 Standards to Secure Your Industrial Control System, page 1-2.

 Layer 2 of the OSI model is the data link layer, which is responsible for transferring data frames between nodes on a network segment. The data link layer is divided into two sublayers: logical link control (LLC) and media access control (MAC). The LLC sublayer deals with issues common to both dedicated and broadcast links, such as framing, flow control, and error control. The MAC sublayer deals with issues specific to broadcast links, such as how to access the shared medium and avoid collisions. The LLC and MAC sublayers are not related to the ISA/IEC 62443 cybersecurity standards, which focus on the security of industrial automation and control systems (IACS). References: https://www.baeldung.com/cs/data-link-sub-layers

https://bing.com/search?q=Layer+2+sublayers

Multiuser accounts and shared passwords are accounts and passwords that are used by more than one person to access a system or a resource. They inherently carry the risk of unauthorized access, which means that someone who is not authorized or intended to use the account or password can gain access to the system or resource, and potentially compromise its confidentiality, integrity, or availability. For example, if a multiuser account and password are shared among several operators of an industrial automation and control system (IACS), an attacker who obtains the password can use the account to access the IACS and perform malicious actions, such as changing the system settings, deleting data, or disrupting the process. Multiuser accounts and shared passwords also make it difficult to track and audit the activities of individual users, and to enforce the principle of least privilege, which states that users should only have the minimum level of access required to perform their tasks. Therefore, the ISA/IEC 62443 standards recommend avoiding the use of multiuser accounts and shared passwords, and instead using individual accounts and strong passwords for each user, and implementing authentication and authorization mechanisms to control the access to the IACS. References:

ISA/IEC 62443-3-3:2013 - Security for industrial automation and control systems - Part 3-3: System security requirements and security levels1

ISA/IEC 62443-2-1:2009 - Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program2

ISA/IEC 62443 Cybersecurity Fundamentals Specialist Training Course3

Shared passwords and multiuser accounts pose specific risks, notably unauthorized access and privilege escalation. In ISA/IEC 62443's framework, these practices are discouraged because they complicate the attribution of actions to individual users and increase the likelihood that accounts can be used beyond their intended scope. Unauthorized access occurs when individuals exploit the shared nature of an account to gain entry to systems or data that they should not access. Privilege escalation can happen when users leverage shared accounts to perform actions at higher permission levels than those assigned to their personal accounts. Conversely, buffer overflows and race conditions are types of vulnerabilities or programming errors, not directly associated with the risks of multiuser accounts or shared passwords.

A Wide Area Network (WAN) is a communications system that covers a large geographic area, such as a city, a country, or even several countries or continents1. WANs are often used to connect local area networks (LANs) and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations2. WANs use various communication infrastructures, such as public telephone lines, undersea cables, and communication satellites, to transmit data over long distances1. WANs are typically established with leased telecommunication circuits or less costly circuit switching or packet switching methods2. WANs are often built by Internet service providers, who provide connections from an organization’s LAN to the Internet2. The Internet itself may be considered a WAN2. References: Hardware and network technologies - CCEA LAN and WAN - BBC, Wide area network - Wikipedia.

Transport Layer Security (TLS) is the standard protocol for securing web communications, including HTTP over TLS (HTTPS) in web browsers. TLS provides encryption, authentication, and data integrity, and has replaced SSL as the primary means of securing browser-based communications.

ISA/IEC 62443 defines “defense in depth” as a layered approach to security. This can be accomplished by implementing zones within zones (sometimes called subzones), where each zone or subzone provides an additional security barrier or control layer. This segmentation restricts an attacker's ability to move laterally and ensures that compromise of one zone does not automatically result in compromise of the entire system.

 OPC Classic uses DCOM, which dynamically assigns any port between 1024 and 65535. Comprehensive Explanation: OPC Classic is a software interface technology that uses the Distributed Component Object Model (DCOM) protocol to facilitate the transfer of data between different industrial control systems. DCOM is a Microsoft technology that allows applications to communicate across a network. However, DCOM is not designed with security in mind, and it poses several challenges for firewall configuration. One of the main challenges is that DCOM does not use fixed TCP port numbers, but rather negotiates new port numbers within the first open connection. This means that intermediary firewalls can only be used with wide-open rules, leaving a large range of ports open for potential attacks. This makes OPC Classic very “firewall unfriendly” and reduces the security and protection they provide. References:

Tofino Security OPC Foundation White Paper

Step 2 (for client or server): Configuring firewall settings - GE

Secure firewall for OPC Classic - Design World

The ISA/IEC 62443 series organizes documents into categories: General, Policies and Procedures, System, and Component. The document titled "Patch management in the IACS environment" is part of the Policies and Procedures group (specifically, ISA/IEC 62443-2-3). This group addresses processes, procedures, and organizational measures for cybersecurity in industrial automation and control systems (IACS), including topics like patch management, which deals with evaluating, testing, and installing updates or patches to reduce vulnerabilities in control systems.

Foundational Requirement 6 (FR 6), Timely Response to Events (TRE), as described in ISA/IEC 62443-3-3, requires that the system detect and respond to security-relevant events, including notifying the proper authority or personnel about security violations in a timely manner. This enables rapid incident response, containment, and recovery actions, all of which are critical to minimizing damage.

 The abbreviation CSMS stands for Cyber Security Management System in ISA 62443-2-1. This standard defines the elements necessary to establish a CSMS for industrial automation and control systems (IACS) and provides guidance on how to develop those elements123. A CSMS is a collection of policies, procedures, practices, and personnel that are responsible for ensuring the security of IACS throughout their lifecycle24. References: 1: ISA/IEC 62443 Series of Standards - ISA 2: ISA 62443-2-1 - Security for industrial automation and control systems, Part 2-1: Establishing an Industrial Automation and Control Systems Security Program | GlobalSpec 3: IEC 62443-2-1:2010 | IEC Webstore | cyber security, smart city 4: Structuring the ISA/IEC 62443 Standards - ISAGCA

Programmable Logic Controllers (PLCs) were originally designed to replace relay-based control systems in industrial automation. Early manufacturing and process control systems relied on hard-wired relays, timers, and sequencers, which were inflexible and difficult to modify. PLCs offered a software-based alternative that could easily be reprogrammed for various automation tasks, making plant operations more efficient and flexible. Their purpose was not specifically to enhance network security or Ethernet functionality, but rather to modernize and simplify control logic implementation.

ISA/IEC 62443-2-5 provides requirements and guidance specifically for service providers (such as those delivering IACS-related managed services, maintenance, or cybersecurity services). While system integrators and asset owners use this guidance, its main audience is service providers, ensuring that their procedures align with cybersecurity best practices for IACS.

ISA/IEC 62443 recommends using a firewall to segment and protect the plant floor (Operational Technology or OT network) from the rest of the company’s Information Technology (IT) networks. Firewalls enforce security policies by controlling and monitoring traffic, helping to prevent unauthorized access and potential threats from traversing between business and control networks. Hubs and switches do not provide security; routers may offer some basic filtering, but firewalls are explicitly designed for this purpose.

Cybersecurity awareness programs are most effective when tailored to the organization’s audience, are aligned with corporate policies, and are communicated regularly. ISA/IEC 62443-2-1 emphasizes the importance of ongoing cybersecurity training and awareness, customized to different user roles, as a critical factor in reducing human-related security risks.

 According to the IEC 62443 standard, a capability security level (SL-C) is defined as “the security level that a component or system is capable of meeting when it is properly configured and protected by an appropriate set of security countermeasures” 1. A component or system can have different SL-Cs for different security requirements, depending on its design and implementation. The SL-C is determined by testing the component or system against a set of security test cases that correspond to the security requirements. The SL-C is not dependent on the actual operational environment or configuration of the component or system, but rather on its inherent capabilities. References:

IEC 62443 - Wikipedia

 According to the ISA/IEC 62443 Cybersecurity Fundamentals Specialist course, establishing policy, organization, and awareness is one of the four steps of the IACS cybersecurity lifecycle. This step involves defining the cybersecurity policies, roles, and responsibilities, as well as communicating them to the relevant stakeholders. It also involves establishing the risk tolerance level, which is the acceptable level of risk for the organization. Communicating policies and establishing the risk tolerance are both activities that are part of this step. Identifying detailed vulnerabilities and implementing countermeasures are activities that belong to the next steps of the lifecycle, which are assessing the current situation and implementing the cybersecurity program, respectively. References: ISA/IEC 62443 Cybersecurity Fundamentals Specialist course, Module 2: IACS Cybersecurity Lifecycle1

A Local Area Network (LAN) is not a strategy for deploying a Wide Area Network (WAN). WAN deployment strategies include using the public Internet, private enterprise WANs, or carrier-managed WANs. LANs, by definition, serve local, not wide-area, connectivity. ISA/IEC 62443 standards refer to different strategies for extending network communications over broader geographic regions, but do not classify LAN as a WAN deployment option.

A security conduit is a logical or physical grouping of communication channels connecting two or more zones that share common security requirements1. A zone is a grouping of systems and components based on their functional, logical, and physical relationship that share common security requirements1. Therefore, a security conduit consists of assets that enable or facilitate communication between zones, such as wiring, routers, switches, and network management devices. Controllers, sensors, transmitters, and final control elements are examples of assets that belong to a zone, not a conduit. Ferrous, thickwall, and threaded conduit including raceways are physical structures that may enclose or protect wiring, but they are not part of the communication channels themselves. Power lines, cabinet enclosures, and protective grounds are also not part of the communication channels, but rather provide power or protection to the assets in a zone or a conduit. References: 1: Key Concepts of ISA/IEC 62443: Zones & Security Levels | Dragos

The “Maintain” phase is the fourth phase of the IACS Cybersecurity Lifecycle described in ISA/IEC 62443-2-1. A key activity in this phase is managing changes (also known as “change management”). This activity ensures that any modifications to the IACS environment (hardware, software, processes, etc.) are evaluated for cybersecurity impact, and proper controls are implemented to maintain the intended security posture. While risk assessment is typically done in the Assess phase, and allocating assets and designing countermeasures belong to earlier phases, managing changes is essential for ensuring ongoing compliance and effectiveness of cybersecurity controls over time.

Application whitelisting (AWL) is a technique that allows only authorized applications to run on a system, and blocks any unauthorized or malicious code from executing. AWL is one of the most effective methods for preventing malware infections and reducing the attack surface of a system. AWL can be implemented at different levels, such as the operating system, the network, or the application itself. AWL is especially useful for industrial automation and control systems (IACS), which often run on legacy or proprietary platforms that are not compatible with traditional antivirus software or other security solutions. AWL can also help protect IACS from zero-day attacks, which exploit unknown vulnerabilities that have not been patched or detected by security vendors. AWL is recommended by the ISA/IEC 62443 standards as a key component of malicious code protection for IACS. According to the standards, AWL should be applied to all IACS components that support it, and should be configured and maintained according to the security policies and procedures of the organization. AWL should also be complemented by other security measures, such as network segmentation, zones and conduits, and patch management, to provide a defense-in-depth approach to IACS security. References:

ISA/IEC 62443-3-3:2013, System security requirements and security levels, Section 5.2.3.41

ISA/IEC 62443-2-1:2010, Establishing an industrial automation and control systems security program, Section 4.3.3.6.42

ISA/IEC 62443-4-2:2019, Technical security requirements for IACS components, Section 4.2.3.43

ISA/IEC 62443-3-2:2020, Security risk assessment for system design, Section 7.3.3.44

ISA/IEC 62443-4-1:2018, Product development requirements, Section 5.2.3.45

Packet filter firewalls, as defined by ISA/IEC 62443 standards on cybersecurity, primarily examine the source, destination, and ports in the header of each packet. This type of firewall does not inspect the packet content deeply (such as its structure or sequence) or maintain awareness of the relationships between packets in a session. Instead, it operates at a more superficial level, filtering packets based solely on IP addresses and TCP/UDP ports. This approach allows packet filter firewalls to quickly process and either accept or block packets based on these predefined criteria without delving into the complexities of session management or the content of the packets up to the application layer.

Packet filter, application proxy, and stateful inspection are all recognized types or classes of firewalls in both IT and industrial control environments. A network monitor, on the other hand, is not considered a firewall but rather a tool for observing and analyzing network traffic. It does not provide firewall-like controls for blocking or allowing traffic.

IACS stands for “Industrial Automation and Control Systems.” The ISA/IEC 62443 series defines IACS as systems used for industrial automation, process control, and related functions. These include systems such as Distributed Control Systems (DCS), SCADA systems, and PLCs. The term encompasses all electronic systems, networks, and equipment used to automate industrial processes.