ISO-27001, ISA/IEC-62443, and NIST CSF: Selecting the right standard/framework for your OT cybersecurity program

As part of a systematic approach towards implementing a cybersecurity program, you need a set of standardized risk mitigating strategies that are developed through the collective efforts of regulatory institutions, industry associations, govt agencies, and tech-experts. With the help of a single or a combination of well-defined procedures, organizations can not only minimize the risks to an acceptable level, but can also track their progress, assess any gaps between the current and targeted security levels, and improve overall efficiency of their security system.

ISO-27001, NIST Cybersecurity Framework, and ISA/IEC 62443 are some of the widely adopted international standards which provide a comprehensive guideline and absolute effectiveness in securing IT and OT systems.

ISO-27001

The turn of the millennium saw some of the earliest developed industry standards evolving and coming together as the ISO series of standards for information security management. ISO-27001 became one of the most comprehensive standards that covers the guidelines and requirements for the implementation of an information security management system. Dealing specifically in information security, the ISO-27001 standard enables organizations to address and prioritize their confidentiality, integrity, and availability requirements. At its heart is a plan-do-check-act cycle, normally referred to as the PDCA cycle, which traces its roots from quality assurance in production environments.

The plan-do-check-act cycle can help you establish the context of the organization, define the scope, objectives, required expertise, and a documented policy. This is further complemented by risk assessment, treatment planning, selection, and implementation of available controls. Additionally, continuous enhancements and improvements cater to the ongoing requirement of mitigating risks. In a nutshell, ISO-27001 guides the organizations, step-by-step, to effectively implement the required security controls and minimize risks through an iterative & scalable approach for successive levels of improvement.

The need for OT security standards

Generally, IT and OT systems differ in their technological nature and scope. Therefore, the security treatment of an OT system needs to be tailored to its unique requirements. Since much of the controls adopted to manage the security of IT systems are not applicable to OT systems, a different set of industry standards is required to fulfill the safety needs and minimize the associated risks. NIST CSF and ISA/IEC 62443 are specifically designed to provide guidelines regarding the security of the industrial automation and control systems.

NIST Cybersecurity Framework

NIST Cybersecurity Framework (CSF) provides the asset owners with an overall direction towards securing the OT systems. It is fundamentally structured to help organizations streamline the required actions, define, and prioritize the security level for the current and potential risks, and manage the budget accordingly. NIST CSF broadly guides its users towards implementing the cybersecurity controls in line with its five core framework functions.

Among the multiple NIST standards, NIST 800-53 and NIST 800-82, are worth mentioning. NIST 800-53 serves the purpose of providing privacy and security controls for the information systems whereas NIST 800-82 is used industry-wide for managing the cybersecurity requirements of the OT systems. NIST 800-82 enables organizations to tailor some of the controls of NIST 800-53, via an ‘overlay’, to fit OT-specific needs. NIST’s documented guidelines outline a detailed overview of all the security capabilities of these standards.

ISA/IEC 62443

ISA/IEC 62443 drills further into the specificity of the application process by deriving from the controls defined in NIST CSF. ISA/IEC 62443 is a series of standards that provides a framework to manage and secure the OT systems, monitor, and prevent possible attacks in the future. It enables organizations to identify and keep track of their asset inventory, group assets with similar security requirements into zones, and define conduits for establishing a safe communication channel within and among these zones. The zones are further evaluated to determine the level of risk they face, and corresponding security levels are assigned to these. Based on the established security levels for the zones, controls are selected and implemented accordingly.

Which standards/combinations are favored? 

In a SANS survey titled “SANS ICS/OT survey 2021”, responses from various industrial verticals showed an interesting combination of OT Cybersecurity standards with NIST CSF, ISA/IEC-62443, NIST 800-53, NIST 800-82, and ISO 27001 being the top 5 standards that the control systems are mapped to.  You can also see a few industry-specific (e.g., NERC CIP) and locality specific (NIS Directive, Qatar ICS security standard) standards making an appearance.

Generally, a combination of these standards is employed based on your unique organizational needs. These requirements could be influenced by the region or the overall environment your business is operating in and other conditions or objectives associated with your unique organizational context. Implementation of these standards could effectively establish a cyber-secure industrial environment, enabling OT defenders like you to tackle the threats while identifying areas-of-emphasis for safeguarding your critical infrastructure in a vividly streamlined manner.