PLC Security

The ISA99 committee has always been the most prolific of the ICS security standards and guidelines writing bodies, although NERC CIP may put up an argument. The coordination of the ISA99 and IEC-62443 efforts has only increased the pace as the international participation and contribution added resources to the Working Groups.

In a recent Working Group 5 minutes the ISA99 leadership team announced that five draft documents are ready for broader review and comment. ISA99 plans to release the drafts in the following order and approximately two weeks apart.

  1. ISA-62443-3-2: Security Risk Assessment and System Design (Security Assurance Levels for Zones and Conduits)
  2. ISA-62443-4-1: Product Development Requirements
  3. ISA-TR62443-2-3: Patch Management in the IACS Environment
  4. ISA-62443-1-3: System Security Compliance Metrics
  5. ISA-TR62443-1-2: Master Glossary of Terms and Abbreviations

ISA-62443-3-2 is out now and is likely one of the most important documents that ISA99 has produced. I say likely because I haven’t read it in a while and the proposed title change is interesting. Does it represent a major shift in the purpose of the document or just represent the document was covering more than zones and conduits. Setting up security zones with security perimeters and then regulating communication between these security zones (conduits) is typically the first task in an ICS security program. I’ll read the latest draft and have an article up on it on Thursday.

I’m also looking forward to the drafts on Product Development Requirements and System Security Compliance Metrics. You can see the audacious list of ISA99 work product.