ICS/OT Cybersecurity Standards and Guidelines

Overview

Improving the cybersecurity of industrial control and other operational technology (OT) systems has been a subject of focus for many years. Several standards, practices and guidelines are being used successfully by industrial organizations around the world.  Some are sector specific while others have a broader scope of application. Asset owners still require practical guidance in how to apply the available standards and guidelines.

The 2020 ARC Industry Forum included a workshop to discuss the current state of industrial cybersecurity standards and new developments occurring in this critical area. Panelists described some of these developments and explained how they can be applied to the problem. A dialog between speakers, panelists, and the audience followed.

Situation Improving

The current situation with respect to protecting industrial control systems and related operational technology (OT) systems is significantly better than it was when it first emerged as a concern almost twenty years ago. Most stakeholder groups - from asset owners in the critical infrastructure to suppliers, regulators, and other government agencies, are now more aware of the challenges.

However, the risk is ever present and changing. While the consequences have not changed significantly, there is broader acceptance that cyber-related incursions can trigger these consequences. Meanwhile, the threat and vulnerability components of risk continue to evolve, with new information emerging on a regular basis.

Several sector-specific and general standards, practices, and guidelines are available to industrial organizations. While these are certainly valuable as reference material, they are not sufficient. Asset owners still require practical guidance in how to apply the available standards and guidelines, as well as case studies that describe the experiences of – and lessons learned by – those who have already done so. In addition, trends like digital transformation, require continuous refinements and extensions to the recommended response.

ARC Industry Forum Workshop

The 2020 ARC Industry Forum in Orlando, Florida in February hosted an informal workshop prior to the main event to review the status of industrial cybersecurity and related guidance. Expert speakers and panelists described recent developments and current activities and explained how they can be applied to the problem. This was followed by a dialog with the audience, providing attendees with an opportunity to share questions, concerns, and observations based on their experiences.

Standards Definition

The first topic was a short update on the status of the ISA/IEC 62443 standards and current activities in the ISA99 committee. The committee co-chair addressed the following questions:

• What is in the 62443 standards?
• Who is using them?
• What are the standards based on?
• Where do things stand?

ISA/IEC 62443 is a series of international standards and associated technical reports that provide both normative requirements and supporting guidance on how to secure industrial automation and control systems (IACS) across a lifecycle that includes specification, development, implementation, operation, and support. They define specific responsibilities and accountability for all roles, including system suppliers, integrators, asset owners and service providers.

These standards are suitable for application in a wide variety of sectors, based on the risks faced and potential consequences. There are documented examples in not only process industries, but also transportation and building automation.

While there is still more to be done, most of these standards have been completed, with several already undergoing revision to reflect changing circumstances and lessons learned. The current focus of the committee is on improving consistency across the series and supplying additional case studies and practical application guidance.

ARC Advisory Group clients can view the complete report at ARC Client Portal   

If you would like to buy this report or obtain information about how to become a client, please Contact Us

Keywords: Guidelines, Industrial Control Systems, Practices, Standards, ARC Advisory Group.