Information security, Cybersecurity and the IEC 62443 series of standards

Information security, Cybersecurity and the IEC 62443 series of standards

More and more often we hear not so much about information security, but about cybersecurity and its importance for everyone (as a private person), for an organization, for the state, etc.

Does everyone understand well what cybersecurity is?

According to the definition provided by the Act on the National Cybersecurity System, cybersecurity is the resistance of information systems to activities violating the confidentiality, integrity, availability and authenticity of the processed data or related services offered by these systems. A very similar definition can be found in the ISO/IEC 27032 standard: Cyber ​​security – maintaining confidentiality, integrity and availability of information in cyberspace.

Ensuring cybersecurity is quite a challenge, especially when we talk about organizations. There are many standards, norms and legal regulations related to information security and cybersecurity that are amended from time to time, and new regulations appear regularly. We try to constantly be up to date and inform you, so I encourage you to use the IKMJ newsletter and follow our news.

The most popular and recognized standard is ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements. The ISO/IEC 27001 standard is subject to certification, there are standards from the ISO 27000 family that help in the implementation of 27001, provide various tips and good practices (ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27007 etc.). IKMJ will help you at every stage of implementation, maintenance or improvement of information security and cybersecurity management systems.

However, there are standards that are more targeted at organizations applying certain technological solutions, e.g. the IEC 62443 series of standards Safety in Industrial Automation and Control Systems (IACS). The IEC 62443 series of standards provides compliance requirements for all entities supporting asset owners in implementing technical and procedural security measures to protect operating facilities from cyber threats, focusing on OT – operational technologies not IT.

 

These standards cover many areas and can be widely used, as confirmed by the International Electrotechnical Commission (IEC). The IEC 62443 series of standards can be defined as comprehensive as they cover various structural aspects of a safety strategy such as people, processes and technologies. Standards of a given series are grouped into four groups including:

  • general concepts, definitions and topics common to the series;
  • IACS security policies and procedures, including requirements for security programs for asset owners, service providers and solution providers, and a methodology for assessing the level of protection provided by the current IACS;
  • technical requirements and methodology for cybersecurity risk assessment at the system-wide level;
  • requirements for the safe life cycle of system components and safety requirements for them at the technical level.

The Cyber ​​Seacurity Management System (CSMS) proposed by the IEC 62443 standard consists of six main elements:

  • initiate a CSMS program (to provide the information needed to obtain management support);
  • high-level risk assessment (identification and prioritization of threats);
  • detailed risk assessment (detailed technical vulnerability assessment);
  • establish security, organization and awareness rules;
  • selection and implementation of countermeasures (to reduce the risk to the organization);
  • maintain the CSMS (to ensure that the CSMS remains effective and supports the organisation’s goals).

Are you considering implementing an Information Security Management System or a Cybersecurity Management System in your organization? Do you have questions about the standards that will best suit your organization? Feel free to contact us!

 

Sources used:

Ustawa z dnia 5 lipca 2018 r. o krajowym systemie cyberbezpieczeństwa

ISASecure: “IEC 62443 – SDLA Certification;” https://www.isasecure.org/en-US/Certification/IEC-62443-SDLA-Certification-(1).

ISA/IEC-62443-3-2: “Security for Industrial Automation and Control Systems: Security Risk Assessment and System Design,” 2015.

Scroll to Top