I keep seeing IEC 62443 mentioned in our RFPs. Is this just a set of suggestions, or is it becoming a mandatory standard for industrial automation? How does it differ from NIST, and what is the best starting point for a mid-sized utility company to achieve "Level 2" security capability?
3 answers
IEC 62443 is the definitive global standard for the security of IACS (Industrial Automation and Control Systems). Unlike NIST, which is more of a broad framework, IEC 62443 is very specific about technical requirements for both the components (PLCs) and the overall system. To start, focus on Part 3-3, which defines the system security requirements. Achieving Security Level 2 (SL2) means you are protected against intentional violations using simple means with low resources. This involves implementing basic segmentation, robust authentication, and audit logs. It is quickly becoming mandatory for any critical infrastructure vendor or operator worldwide.
It’s a huge document, so don’t try to do it all at once. Focus on the "Foundational Requirements" (FRs) first, like identification and authentication control, before moving to the more complex parts.
Is it possible to get our existing legacy equipment "certified" under IEC 62443, or do we have to replace everything with newer, "secure-by-design" hardware?
Patrick, you can't really certify the old hardware itself. To answer your question, you focus on the "System" level certification. You prove that your network design (firewalls, monitoring, etc.) compensates for the legacy hardware's lack of native security features to meet the standard.
Great advice, Deborah. Breaking it down into small, manageable projects is the only way our team survived the audit last year without burning out completely.