• ISA provides technical resources and standards to help industrial automation professionals advance their careers and the field. We enable automation professionals worldwide to solve problems and enhance their skills by bringing people together to create new technologies and share best practices with future automation professionals.

    • Industry Insights

  • We attract over 140,000 unique automation professionals monthly, making us the premier online content provider and the only dedicated electronic magazine in the automation industry.

    Monthly Magazine

    • More things to read

    Back
    Back
  • M logo for Automation.com Monthly. Link to current issue.
  • Search Sponsored By:
Feature

Defining Security Lifecycles in the ISA/IEC 62443 Series [Excerpt]

By: Johan Nye
10 November, 2020
2 min read
Defining Security Lifecycles in the ISA/IEC 62443 Series [Excerpt]
Defining Security Lifecycles in the ISA/IEC 62443 Series [Excerpt]
In this excerpt of a guide by the ISA Global Cybersecurity Alliance, the author defines the security lifecycles outlined in the ISA/IEC 62443 standards.

The ISA Global Cybersecurity Alliance (ISAGCA) recently released a guide to security lifecycles in the ISA/IEC 62443 Series. To give you a brief taste of the content you can find in the guide, we republished its executive summary below. Understand more about the different security lifecycles outlined in the world's only consensus-based automation cybersecurity standards and download the full guide at www.isa.org/securitylifecycles.

Executive Summary

This document provides an overview of the security lifecycles that are described in the ISA/IEC 62443 Series of standards and technical reports, which specifies the requirements for the Security of Industrial Automation and Control System (IACS). There are two security lifecycles that are included in the ISA/IEC 62443 Series: the Product Security Lifecycle and the Automation Solution Security Lifecycle .

The

Product Security Lifecycle

specifies the security requirements for the technical and organizational security measures used to design, develop, and support IACS System and Component products. It includes secure by design aspects such as threat modeling and defense-in-depth strategies, secure implementation such as secure coding standards, security verification & validation testing , and security update management . Technical security measures based on Security Levels allow the Product Supplier to deliver IACS Systems and IACS Components that are capable of meeting specified security requirements, provided the Asset Owner maintains associated organizational security measures .

The Automation Solution Security Lifecycle is shown in Figure 1 and specifies the technical and organizational security measures used throughout the lifecycle of the IACS Automation Solution, which is the realization of IACS Systems and IACS Components at a particular facility.

automation-solution-security-lifecycle

Diagram republished from ISAGCA's "Security Lifecycles in the ISA/IEC 62443 Series"

Asset Owner , Product Supplier , and Service Provider are roles that are defined later in this document . Roles are not the same as organizations. An organization can have multiple roles, and the responsibilities of a role can be split between multiple organizations. While this document presents typical roles and responsibilities throughout the security lifecycles, it is important to note that the Asset Owner must determine and document the actual roles and responsibilities used for their organization and IACS Product Suppliers and Service Providers.

Advertisement

There are a few key messages that the reader should understand from this document:

  • The Asset Owner is accountable for the cybersecurity risk of the IACS and the Equipment Under Control
  • IACS cybersecurity is a shared responsibility among Asset Owner, Product Supplier, and Service Providers
  • IACS cybersecurity is required throughout the Automation Solution Security Lifecycle
  • IACS cybersecurity is required throughout the Product Security Lifecycle

If you'd like to read more, please request your free copy of "Security Lifecycles in the ISA/IEC 62443 Series: Security of Industrial and Automation Control Systems" at www.isa.org/securitylifecycles .

Categories:
Cover image for ISA Global Cybersecurity Alliance

ISA Global Cybersecurity Alliance

The ISA Global Cybersecurity Alliance (ISAGCA) is a global consortium collaborating to advance OT cybersecurity awareness, education, readiness, standardization and knowledge sharing, based on the ISA/IEC 62443 series of standards. 

Default Avatar

Johan Nye
Johan Nye is an independent consultant specializing in industrial control systems (ICS) and cybersecurity. During his career spanning more than 38 years, Nye has designed ICS system architectures, created company standards and policies, implemented major ICS projects, supported ICS site engineers, and contributed to the design of several ICS products. He is the author of "Quick Start Guide: An Overview of the ISA/IEC 62443 Standards" and "Security Lifecycles in the ISA/IEC 62443 Series."
Advertisement

Trending Articles

Advertisement

Related Articles

View all Articles and News
Advertisement
Advertisement

International Society of Automation
PO Box 12277

Research Triangle Park, NC 27709

E-Mail: [email protected]

©2026 Automation.com, a subsidiary of the International Society of Automation.