NCS3 Studie - Standard series ISA/IEC 62443: Use and experiences in the Swedish ICS community
Publish date: 2018-06-21
Report number: FOI-R--4601--SE
Pages: 41
Written in: Swedish
Keywords:
- 62443
- IACS/ICS
- standards
- cyber security
- critical infrastructure
Abstract
ISA/IEC 62443 is a standard that focuses on industrial control systems (ICS). Although major parts are still in development, it has already begun to be used in Sweden and internationally. The purpose of this report is to provide the Swedish civil contingency agency (MSB) with a greater understanding of the extent and application of the standard in Sweden, and thereby contribute to increasing its knowledge of the situation within the area of ICS. The use of the standard in Sweden is mapped through interviews with actors who have broad experience of a variety of areas. In addition, a comprehensive description of the content of ISA/IEC 62443 is provided. The standard is considered to offer several advantages, including that it is complete over the entire life cycle and is tailor-made for ICS, and that it defines different security levels that can be subjected to different requirements. Other reasons for the use of ISA/IEC 62443 and the attention paid to it are the changed set of requirements from clients, connected to industry's increasing exposure to cyber incidents, as well as the measures expected in the advent of the NIS directive. Among the challenges that may need to be met, are that it is not ISO-classified and many of its sections are still being developed, while others risk becoming obsolete. A general challenge that has been highlighted is that since the operators do not always see the economic benefits of cyber security standards, they are disinclined to implement them. Finally, a majority of the study participants state that ISA/IEC 62443 can, and should, be complemented by other standards. For example, ISA/IEC 62443 could be used on the physical level of detail, with focus on ICS, supplemented by ISO 27000 for the overall project methodology.