What is in the standard
This standard addresses the issue of security for industrial automation and control systems (IACS), and outlines security requirements for control systems while assigning systems different security levels. Given that control systems are increasingly interconnected with non IACS (OT) networks – the increased connectivities introduce greater risk for cyber attack against control system hardware and software. These vulnerabilities could lead to health, safety and environmental consequences. The cyber security approach for IACS needs to consider functional requirements, risk assessments and operational issues. IACS security goals are different from IT security goals: IACS security measures must prevent the loss of essential services and emergencies. IT is more focused on protecting information rathar than human lives and physical assets.
The main objective of ISA 62443 series is to provide a framework that addresses security vulnerabilities in IACS and apply the necessary defensive mitigations. The intended audience is the IACS communities including asset owners, system integrators, product suppliers, service providers and compliance authorities. The goal is to define a common set of requirements to reach heightened security levels. There are seven foundational requirements for control systems: identification and suthentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Security measures applied to these requirements shall not cause loss of protection, loss of control or loss of view.
Relationship to Unidirectional Gateways
The standard mentions unidirectional gateways four times when prescribing security measures for restricted data flow, zone boundary protection, malicious code protection and denial of service protection. The standard recommends unidirectional gateways for networks controling the most important and most securitized assets within IACS. The standards also recommends segmenting networks in control system networks from non-control system networks to reduce exposure to threats to control system reliability.
The standard clearly states that the security goals and requirements for industrial control systems differ from those of IT networks. With the increased connectivity of business networks to control networks, new vulnerabilities present themselves. This standard recommends that networks protecting the most critical assets be identified as such and be protected by the most stringent methods, one of which being unidirectional gateways.