A draft of ISA-62443-3-2 is out for comment now. Previously it was called Zones and Conduits, but the latest draft recommends a title change to Security Risk Assessment and System Design. The recommended new title is more accurate for the content.
Readers looking for some detailed guidance or requirements on performing a security risk assessment or designing a security architecture will be disappointed. This standard is primarily a process document that tells an owner/operator the tasks that must be done in a risk assessment, but doesn’t provide much information on how to do the tasks.
The positive spin on this document is it provides a consistent process and terminology for performing an ICS risk assessment. For example there is a specific list of information that must be documented for each zone and conduit in Section 4.4.3.1.
The negative spin is it has requirements, “shalls”, without helping an owner/operator determine how to do this. A few examples:
- 4.5.1.1 “A list of the threats that could affect the assets contained within the zone or conduit shall be developed.”
- 4.5.2.1 “The zone or conduit shall be analyzed in order to identify and document the known vulnerabilities in the zone or conduit access points and in the assets contained within the zone or conduit.”
- And then the list of earlier required shalls are combined in a calculation such as 4.6.1.1 “The residual risk calculated for each threat 4.5.5 shall be compared to the organization’s tolerable risk (specified in 4.3). Additional security countermeasures must be applied if the residual risk exceeds the tolerable risk.”
This document is high level Risk Management 101. It’s actually a very short document and quick read with about 5 pages after you strip out the formatting and definition sections and an example annex.
It may be unfair to look at this document in isolation. ISA99 has a large set of standards and technical reports in process that interlock to hopefully form a complete picture. In addition, future annexes (appendices) are hinted at that could provide guidance on how to achieve these mandatory requirements. This is started with a partially completed annex on a chemical truck loading example, and another annex to be written with “several possible methodologies that can be used to assess the frequency of the threat hazard”.
There is guidance on security zones as the standard recommends (shoulds) that control, safety, corporate, wireless, and mobile devices all be in their own zones. All guidance is very broad such as “The organization’s tolerable risk for the SuC should be included in the security requirements specification.”
It’s a draft so there is still work to be done. Consider even the limited examples in this article. Specifying the organization’s tolerable risk is optional, but it is then required in Section 4.6.1.1. ISA99 has a comment form and is very welcoming of any suggested improvements.
In summary, ISA-62443-3-2 isn’t going to be of much assistance to an owner/operator doing a risk assessment or a security design unless there is substantial work on the annex. It likely will be a key component of the overall ISA99 standards framework.
Image by SludgeGulper