About every 18 months, I end up, as I am now, on a project where the asset owner wants to follow IEC 62443 security documents as closely as possible. As I re-read and use them, I’m struck by two things:
- There is a large amount of great content in the published and draft work. It’s truly the go to source for detailed instruction on how. They are consensus based documents and written for the generic ICS (or IACS in 62443-speak), so there are some concepts and many details I disagree with. And the utility of the documents varies quite a bit. Still, it is a rich resource and a major accomplishment for the dedicated working group members who have toiled on these documents for years.
- How poorly marketed the documents are. This useful hard work should be much more accessible rather than having to slog through reading multiple technical standards … at least as an entry point.
ISA showed self awareness that the 62443 documents were not having the impact they should and created the ISA Global Cybersecurity Alliance in the summer of 2019 with a mission to address this:
initiatives will include expanding the development and use of industry standards, creating education and certification programs, advocating for cybersecurity awareness and sensible approaches with world governments and regulatory bodies
To their credit, the ISA GCA has put out two helpful documents this year that provide an overview. The latest is Security Lifecycles in the ISA/IEC 62443 Series (doesn’t appear to be linked yet). A very useful and needed paper written by Johan Nye. Still at 19 pages and trying to encompass everything, it is hardly bitesize and a tiny fraction of what is needed.
The solution is simple. Lots of content, in various media, in a variety of lengths, with different levels of detail, and created for a few identified roles. Simple, but compelling and effective content generation is a lot of work. (of course, it’s a lot easier and more fun than writing ICS security standards)
1-minute videos put up on YouTube, LinkedIn, … Podcasts with asset owners using 62443. Articles on a specific question the standards address. Infographics and funny posters. 62443 tip of the week. Video excerpts from the training classes. Perhaps excerpts from a juicy or funny working group discussion. We should be seeing fresh content practically every day. The good news is that there is a large and rich set of information in those 14 documents, as well as the process to create and maintain them, to draw from.
The challenge is it requires ISA and those involved with 62443 to vary from their nature. If you are an organization or person who likes or can tolerate the detailed and slow moving nature of consensus standards writing, then a 19-page document that likely took weeks or months to write/review/approve is a natural piece of content. Unfortunately it is only one of twenty or so content pieces that should be coming out this month.
The ISA/IEC62443 writing teams are proposing to do even more work than currently planned with a reorganization of the standards and additional documents. Hopefully the ISA GCA will spend a sizable portion of their budget on content creation to leverage this could work and achieve their mission. Hire some content creators who have the technical knowledge and set them loose.