Thomas Burke, longtime President of the OPC Foundation, had the best answer to this question in a podcast interview with Walker Reynolds.
Success is measured by the level of adoption. That’s the key, when you go do anything with industry standards they’ve got to be worth more than the paper their printed on.
Tom and the OPC Foundation succeeded wildly by this measure with OPC DA, aka OPC Classic. Almost every product over the past two decades has an OPC classic interface. OPC became the universal translator between disparate ICS for a huge percentage of asset owners. Massive adoption.
OPC UA is a behemoth set of standards documents. Thousands of pages covering a wide range of capabilities. It’s huge compared to OPC Classic. How successful is OPC UA? Walker Reynolds said,
I spent over $100,000 on, we basically itemized the entire specification … and then we went out and tried to find products for each function in the complete UA specification … only about 20% of the OPC specification, the full UA specification, has been adopted.
To be fair, that 20% that is implemented is looking like it will be highly successful, and the 80% is looking like it won’t be successful by the adoption measure. Rather than pushing for adoption of that 80%, the OPC Foundation is adding even more capabilities.
How do ICS security standards rate on this adoption as success measure?
The NERC CIP standards would rate high based on adoption. This isn’t really fair since it’s a regulation. Adoption is mandatory for bulk electric systems meeting a threshold criteria, and many utilities tried to keep their systems below that threshold.
IEC 62443 looks a lot more like OPC UA. 62443 has numerous long standards and technical reports … and adoption for most of it is small.
OPC UA and 62443 isn’t an apples to apples comparison. Short of the ISASecure certifications for specific parts of the standard, it is hard to determine if 62443 is adopted. Being mentioned as a guiding principle isn’t adoption.
Perhaps the percentage of a sector that is ISASecure certified is the best measure of adoption. ISASecure currently has posted certified vendors to three standards (listed in order of adoption).
IEC 62443-4-1 Certified Development Organizations (does your SDL meet the standard)
IEC 62443-4-2 Certified Components
IEC 62443-3-3 Certified Systems
These are vendor certifications. ISASecure is working on an asset owner Site Assessment Program that would test adoption of parts of four different 62443 standards. This will be a tough sell unless there is some clear value such as being accepted as evidence of meeting a regulatory requirement or playing some role in insurance underwriting.
If you agree with Tom Burke that adoption is the measure of success for a standard, then OPC UA, 62443 and any other standards group should prioritize activities that will grow adoption over further extending the standard family.