Steering on utilizing ISA/IEC 62443 for IIoT initiatives



With the growing proliferation of Industrial Web of Issues (IIoT) methods and cloud companies for innovation and digital transformation, authorities businesses and industrial clients are confronted with defending an increasing assault floor. The ISA/IEC 62443 collection of requirements had been written earlier than IIoT applied sciences had been widespread however present a robust foundation for securing these environments. On this weblog, we talk about the ISA/IEC 62443 requirements, what’s altering within the requirements, and certifications to assist the usage of IIoT in Industrial Automation and Management Programs (IACS).


The ISA/IEC 62443 collection of requirements are developed collectively by ISA99 and IEC to deal with the necessity to design cybersecurity robustness and resilience into IACS. The aim in making use of the 62443 collection is to enhance the security, availability, integrity and confidentiality of parts or methods used for industrial automation and management. As well as, they supply standards for procuring and implementing safe industrial automation and management methods. Conformance with the necessities of the 62443 collection is meant to enhance cyber safety and assist determine and deal with vulnerabilities, decreasing the danger of compromising confidential data or inflicting degradation or failure of the gear ({hardware} and software program) of processes underneath management. The 62443 collection builds on established requirements for the safety of general-purpose data know-how (IT) methods (e.g., the ISO/IEC 27000 collection), figuring out and addressing the necessary variations current in IACS. Many of those variations are based mostly on the truth that cyber safety dangers with IACS might have Well being, Security, or Setting (HSE) implications and the response needs to be built-in with different current danger administration practices.

ISA/IEC 62443 is “consensus-based,” complete, and broadly used throughout industries. Right this moment, the rising availability of IIoT has widened the array of applied sciences and methodologies out there to be used in industrial automation environments. This development will increase the assault floor, which inherently will increase the danger of compromise in these environments. To safe environments that use IIoT in IACS, an intensive understanding of IACS cybersecurity lifecycle is helpful. The ISA/IEC 62443 collection can present a risk-based, defense-in-depth, and performance-based strategy that may help asset homeowners and their service suppliers in navigating the usage of IIoT in industrial automation and management methods.

Understanding the ISA/IEC 62443 Requirements

ISA/IEC 62443, formally ANSI/ISA/IEC 62443, is a set of requirements and technical experiences that cope with industrial cybersecurity. Holistically, ISA/IEC 62443 is designed to assist asset homeowners (finish customers), system integrators, and producers cut back the danger of deploying and working an IACS. Determine 1 offers an thought of the totally different components of the usual. You possibly can see that it’s a multi-part commonplace.

Figure 1: ISA/IEC 62443 documents (Courtesy of ISA)

Determine 1: ISA/IEC 62443 paperwork (Courtesy of ISA)

These paperwork are organized in 4 teams, akin to the first focus and meant viewers/function. It’s useful to think about the construction of those requirements and the way the hierarchy defines the roles and duties for offering a sturdy IACS safety posture.

  1. Common – This group consists of paperwork that deal with subjects which are widespread to your complete collection.
  2. Insurance policies and Procedures – Paperwork on this group concentrate on the insurance policies and procedures related to IACS safety.
  3. System Necessities – The paperwork within the third group deal with necessities on the system degree.
  4. Part Necessities – The fourth and ultimate group consists of paperwork that present details about the extra particular and detailed necessities related to the growth of IACS merchandise.

The advantage of these requirements is that asset homeowners can extra simply (than on their very own) outline a required safety degree that references to a selected menace degree, a measure that gives tighter safety controls for larger danger capabilities. The profit for service suppliers is that the requirements present clear specific language of the necessities specified from the tip person. And the profit for product or element producers is that they will extra clearly describe the performance of their merchandise (from a safety perspective) and differentiate themselves competitively, all of which is best than merely offering a protracted checklist of security measures.

PERA mannequin and ISA TR 62443-4-3 (draft)

Right this moment, with the rising use of IIoT in Operational Know-how (OT) environments, there’s a want for the requirements to be up to date to assist IIoT. Although the requirements had been written earlier than IIoT applied sciences had been widespread, most ideas stay relevant or could be tailored for that surroundings. ISA 99 Working Group 9 revealed a Technical Report ISA TR 62443-4-3 (draft) which IEC calls IEC PAS 62443-4-3 (draft) which deal with the usage of IIoT know-how in IACS.

Beforehand, the Purdue Enterprise Reference Structure (PERA) popularly known as the Purdue Mannequin was used as a reference mannequin for IACS. That mannequin was rooted in a number of assumptions about know-how and connections that IIoT know-how can upset. With the appearance of IIoT know-how, the norms of the PERA mannequin have been blurred as standard considering of bodily community segregation and ranges of performance are modified by the internet-connected nature of IIoT know-how.  IIoT know-how has not rendered the mannequin’s illustration of performance obsolescent however has blurred the community structure analogy made throughout the Nineties on the place these functionalities can reside. For instance, in that mannequin, the units at Degree 0 (the sphere degree) weren’t as sensible and had no connectivity on to exterior methods. Right this moment, nevertheless, a small temperature or vibration sensor can be an IIoT machine, that may connect with the cloud instantly, bypassing all larger ranges of the PERA mannequin. The PERA mannequin was used to explain performance of current IACS, but it surely started for use as a mannequin to implement a secured structure, which was not initially envisaged.

Figure 2: IIoT upsets the traditional Purdue (PERA) model (Adapted from ISA/IEC 62443-4-3 (draft))

Determine 2: IIoT upsets the standard Purdue (PERA) mannequin (Tailored from ISA/IEC 62443-4-3 (draft))

Assessing OT and IIoT cybersecurity danger, gives an instance of zones and conduits in IACS with IIoT methods and discusses how asset homeowners can use ISA/IEC 62443-3-2, Safety Threat Evaluation for System Design. This can be a key step within the danger evaluation course of by partitioning the System Underneath Consideration (SUC) into separate Zones and Conduits. The intent is to determine these belongings which share widespread safety traits with a purpose to set up a set of widespread safety necessities that cut back cybersecurity danger. Partitioning the SUC into Zones and Conduits also can cut back general danger by limiting the affect of a cyber incident. Zone and conduit diagrams can help in detailed IIoT cyber safety danger assessments and assist in figuring out threats, and vulnerabilities, figuring out penalties and dangers and offering remediations or management measures to safeguard belongings from cyber occasions.

The draft Technical Report 62443-4-3 gives a number of examples of safety capabilities which could be supplied by Cloud Suppliers which asset homeowners can reap the benefits of for securing their IIoT options to attain their safety degree targets. Seek advice from the desk enclosed for an outline of those safety capabilities and AWS sources out there to asset homeowners:

IIoT cloud-based performance (CBF) Safety Controls Clarification
Id administration

Cloud suppliers can present identification administration capabilities for IIoT. These capabilities can embody each the administration of identification for units in addition to authentication and authorization for person entry.

EXAMPLE: The cloud service supplier can assist the usage of {hardware} safety modules (HSM), rotation of credentials.

AWS sources

AWS gives the next belongings and companies to assist with identification administration:

  1. Safety and Id for AWS IoT
  2. Amazon Cognito is a service that gives authentication, authorization, and person administration to your internet and cellular apps.
  3. AWS Id and Entry Administration (IAM) is a service that lets you handle entry to AWS companies and sources securely.
  4. Machine authentication and authorization for AWS IoT Greengrass.
  5. AWS Secrets and techniques Supervisor is a service that can be utilized to securely retailer and handle secrets and techniques within the cloud and encrypts the secrets and techniques utilizing AWS KMS.
  6. Figuring out IoT machine certificates with a revoked intermediate CA weblog
  7. Tips on how to handle IoT machine certificates rotation with AWS IoT weblog
  8. Enhancing IoT machine safety utilizing HSM and AWS IoT Machine SDK weblog
Authorization administration for parts

Cloud suppliers can present rights administration capabilities to manage entry and authorization throughout the cloud and, in some instances, to IIoT CBF gear.

AWS sources

AWS gives the next belongings and companies to assist with authorization administration for parts:

  1. Safety and Id for AWS IoT
  2. Amazon Cognito is a service that gives authentication, authorization, and person administration to your internet and cellular apps.
  3. AWS Id and Entry Administration (IAM) is a service that lets you handle entry to AWS companies and sources securely.
  4. Machine authentication and authorization for AWS IoT Greengrass.
  5. AWS IoT Core Authorization
Knowledge safety insurance policies Cloud suppliers can present capabilities to help asset homeowners in defending knowledge availability, integrity, privateness and confidentiality in IIoT CBF together with use of encryption for knowledge in transit and at relaxation.
EXAMPLE: Supporting asset proprietor’s knowledge classification and safeguardingAWS sourcesAWS gives the next belongings and companies to assist with knowledge safety:

  1. AWS Shared Duty Mannequin for safety and compliance.
  2. AWS Knowledge Privateness
  3. AWS Compliance Applications and Choices
  4. AWS Compliance Options Information
  5. AWS KMS lets you simply create and management the keys used for cryptographic operations within the cloud.
  6. Knowledge safety in AWS IoT SiteWise
  7. Amazon Macie to find and shield delicate IIoT knowledge at scale.
  8. Privateness Options of AWS Providers
Knowledge residency insurance policies

Cloud suppliers can present the aptitude for asset homeowners to determine residency controls for knowledge within the cloud.

AWS sources

AWS gives the next belongings and companies to assist with knowledge residency necessities:

  1. AWS International Infrastructure
  2. AWS Knowledge Residency whitepaper
  3. Addressing Knowledge Residency with AWS weblog
  4. AWS Outposts permits you to lengthen and run native AWS companies on premises
  5. AWS Hybrid Cloud companies extends AWS infrastructure and companies to on premises and on the edge
Safe communications administration

Cloud suppliers can provide companies equivalent to VPNs or different safe communication capabilities for IIoT CBF communications. These capabilities can embody a service to transform insecure automation protocols into safe communication protocols earlier than transmission.

AWS sources

AWS gives the next belongings and companies to assist with safe communications administration:

  1. AWS IoT SDKs that will help you securely and rapidly join units to AWS IoT.
  2. FreeRTOS Libraries for networking and safety in embedded functions.
  3. Safety finest practices for AWS IoT SiteWise
  4.  AWS Digital Personal Community (VPN) options set up safe connections between industrial crops and AWS international community.
  5. AWS Direct Join is a cloud service answer that makes it simple to determine a devoted community connection out of your premises to AWS.
  6. AWS IoT SiteWise gateway let you ingest knowledge utilizing industrial protocols equivalent to OPC-UA, Modbus TCP and Ethernet/IP, and many others.
  7.  Machine to Cloud Connectivity Framework
Audit and monitoring companies

Cloud suppliers can provide audit and monitoring capabilities for IIoT CBF, together with the flexibility to centrally log occasions and supply evaluation. This may additionally embody menace detection and habits anomalies.

AWS sources

AWS gives the next belongings and companies to assist with audit and monitoring:

  1. AWS IoT Machine Defender to watch and audit your fleet of IoT units.
  2. Monitoring AWS IoT with CloudWatch Logs to centralize the logs from all your methods, functions, and AWS companies that you just use, in a single, extremely scalable service.
  3. Logging AWS IoT API Calls with AWS CloudTrail to supply a document of actions taken by a person, a job, or an AWS service in AWS IoT.
  4. Monitoring with AWS IoT Greengrass logs
  5. AWS Config to evaluate, audit, and consider the configurations of your AWS sources.
  6. Amazon GuardDuty to constantly monitor for malicious exercise and unauthorized habits to guard your AWS accounts and workloads.
  7. AWS Safety Hub to automate AWS safety checks and centralize safety alerts.
  8. Implement safety monitoring throughout OT, IIoT and cloud weblog
Incident response

Cloud suppliers can present capabilities to complement asset proprietor’s incident response actions

AWS sources

AWS gives the next belongings and companies to assist with incident response:

  1. AWS Safety Incident Response Information
  2.  AWS Programs Supervisor gives a centralized and constant method to collect operational insights and perform routine administration duties.
  3.  Allow compliance and mitigate IoT dangers with automated incident response weblog
  4. AWS Incident response blogs
  5. AWS Buyer Incident Response Group weblog
Patch administration

Cloud suppliers can present patching capabilities for IIoT CBF gear.

AWS sources

AWS gives the next belongings and companies to assist with patch administration:

  1. FreeRTOS Over-the-Air Updates
  2. AWS IoT Greengrass Core Software program OTA Updates
  3. AWS IoT jobs to outline a set of distant operations that you just ship to and execute on a number of units related to AWS IoT.
  4. AWS Programs Supervisor Patch Supervisor automates the method of patching managed situations with each safety associated and different varieties of updates equivalent to working methods and functions.
  5. Schedule distant operations utilizing AWS IoT Machine Administration Jobs weblog
Safety analytics

Cloud suppliers can present the aptitude to determine anomalies to achieve insights on complicated occasions which can be utilized to enhance the safety posture of your IIoT Cloud Primarily based Performance (CBF). This may allow the asset proprietor to detect and reply to incidents in a well timed method.

AWS sources

AWS gives the next belongings and companies to assist with safety analytics:

  1. AWS IoT Machine Defender helps you determine and reply to IoT safety points
  2.  AWS IoT Occasions helps you detect and reply to occasions from IoT sensors and functions
  3. Amazon GuardDuty protects your AWS accounts with clever menace detection
  4.  Amazon Safety Lake helps you centralize safety knowledge for analytics
  5.  AWS companies for safety analytics
Backup and Restoration of OT and IIoT knowledge

Cloud suppliers can present backup and restoration choices for IIoT CBF knowledge.

AWS sources

AWS gives the next belongings and companies to assist with backup and restoration of OT and IIoT knowledge:

  1.  Resilience in AWS IoT Greengrass to assist assist knowledge resiliency and backup wants.
  2.  Backup and Restore Use Circumstances with AWS
  3. CloudEndure Catastrophe Restoration for quick and dependable restoration into AWS.
  4. AWS Backup to centrally handle and automate backups throughout AWS companies.
  5. Catastrophe Restoration for AWS IoT answer steering

Determine 3: Examples of safety capabilities supplied by cloud suppliers (from TR-62443-4-3) together with AWS companies and steering.

Different helpful AWS sources for asset homeowners embody the AWS Effectively Architected Framework, IoT Lens to design, deploy, and architect IIoT workloads aligned with architectural finest practices and AWS Safety Greatest Practices for Manufacturing OT whitepaper.

ISASecure IIoT Part Safety Assurance (ICSA)

The ISASecure program introduced a brand new ISASecure certification for Industrial Web of Issues (IIoT) parts based mostly on the ISA/IEC 62443 collection of requirements. The certification addresses the necessity for industry-vetted IIoT certification program. The ISASecure IIoT Part Safety Assurance (ICSA) is a safety certification program for IIoT units and IIoT gateways. ICSA relies upon the 62443 commonplace and a element that meets the necessities of the ISASecure ICSA specification will earn the ISASecure ICSA certification; a trademarked designation that gives recognition of product safety traits and capabilities, and gives an unbiased {industry} stamp of approval just like a ‘Security Integrity Degree’ Certification (ISO/IEC 61508). The ICSA relies on 62443-4-1 and 62443-4-2 with some exceptions and extensions. The extensions make clear the appliance of 62443 ideas to IIoT environments. Examples are creating “inner” zones utilizing compartmentalization applied sciences, controlling software of software program updates, securing distant administration, machine authentication power, and element resilience to cloud companies or the cloud interface. As well as, an ongoing safety upkeep audit is required to take care of certification. Cloud companies usually are not in scope for this certification.


Asset homeowners are more and more connecting OT to IT/Cloud and utilizing IIoT to enhance operational efficiencies and keep aggressive. This convergence of OT with IT introduces new dangers which must be correctly managed and is driving adjustments to ISA/IEC 62443 requirements and certifications. AWS is working actively with the ISA International Cybersecurity Alliance (ISAGCA), ISA Safety Compliance Institute (ISCI), the ISA99 requirements committee, and {industry} companions to replace the ISA/IEC 62443 collection of requirements and certifications to make sure that all events correctly deal with the rising IIoT safety necessities.

It may be useful to asset homeowners, IIoT product and system suppliers, and repair suppliers to concentrate on these evolving safety and compliance requirements ensuing from OT/IT convergence. The ISASecure IIoT Part Safety Assurance (ICSA) based mostly on the 62443 requirements is one instance. Feedback and suggestions on the TR 62443-4-3 (draft) and IEC PAS 62443-4-3 (draft) can present steering to ISA and IEC workgroup members to create necessities for brand new editions to the usual. Readers are inspired to affix numerous ISA 99 committees and dealing teams because it gives an incredible studying and networking alternative with {industry} friends along with getting early entry to paperwork such because the ISA TR 62443-4-3 (draft). Notice that the 62443-4-3 numbering might change when it turns into a part of the ISA/IEC 62443 requirements.

Further Studying

Sameer Kumar Headshot1.jpg

Ryan Dsouza

is a Principal Options Architect for industrial IoT at AWS. Primarily based in New York Metropolis, Ryan helps clients design, develop, and function safer, scalable, and progressive options utilizing the breadth and depth of AWS capabilities to ship measurable enterprise outcomes. Ryan has greater than 25 years of expertise in digital platforms, sensible manufacturing, power administration, constructing and industrial automation, OT/IT convergence and IIoT safety throughout a various vary of industries. Earlier than AWS, Ryan labored for Accenture, SIEMENS, Common Electrical, IBM, and AECOM, clients for his or her digital transformation initiatives.