Cybersecurity was once considered an information technology (IT) challenge—cybercriminals primarily targeted software, networks and computer systems. Operational technology (OT) and IT were “air-gapped” to minimize disruptions in the event of a breach. In recent years, however, the long-hyped convergence of OT and IT has become a commonplace reality. Industry 4.0 introduced smart technology to the world of OT, complete with better data insights, better connectivity and increased efficiencies.
A connected industrial environment has undeniable benefits, but it also comes with a downside—an increased vulnerability to cyberattacks. Mitigating risk and thwarting attacks also requires a coordinated effort. Cyber threat actors can easily put safety and continuity at risk when they attack OT. Incidents like the Colonial Pipeline ransomware attack in 2021 and the Dole ransomware attack in 2023 demonstrated the potential for cyber threats to have a severe, real-world impact. In 2024, a rising wave of cyberattacks such as those orchestrated by Volt Typhoon have targeted critical infrastructure in North America and Europe.
Organizations are facing high stakes when it comes to protecting their industrial automation and control systems (IACS). According to a report by ABI Research, global enterprise spending on OT cybersecurity is expected to increase to about 21.6 billion USD by 2028. In a position paper called “Advancing Industrial Cybersecurity,” the International Society of Automation (ISA) outlines how policymakers and private-sector leaders can be best equipped to address the urgent need for improved critical infrastructure cybersecurity. Globally relevant standards and conformance programs are important, as is strong support for the automation professionals who work to ensure the safety of facilities, processes and communities.
The position paper explores the critical need for OT cybersecurity training and various directives issued by governments around the world to address the challenges of protecting critical infrastructure from cyberattacks. It discusses ISA’s commitment to developing and maintaining standards such as the ISA/IEC 62443 series , the world’s leading consensus-based standards for control systems cybersecurity. ISA provides training resources surrounding those standards, promotes the adoption of standards and works with governments around the world to adopt standards and guidance for protecting critical infrastructure. The paper states ISA’s position on advancing industrial cybersecurity, namely that: “Mandating cybersecurity measures with prescriptive regulations is undesirable.
Instead, regulations should support the use of risk-based approaches based on published consensus-based technical standards and conformance measures.” It also highlights another ISA position, emphasizing the need for an OT-specific approach: “Specific standards that take account of the unique characteristics of industrial automation and control systems should be used in preference to more general information technology standards.” ISA created the ISA Global Cybersecurity Alliance (ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes.
End-user companies, automation and control systems providers, IT infrastructure providers, services providers, system integrators and other cybersecurity stakeholder organizations work together through ISAGCA to proactively address growing threats. ISA also offers the leading conformity assessment program for industrial cybersecurity products and systems— ISASecure® — which certifies compliance with the ISA/IEC 62443 series of standards.
IIoT system protection
ISAGCA and ISASecure partnered to produce a white paper , “IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards.” This report explores the use of ISA/IEC 62443 in IACS with cloud-based functionality, also referred to as the Industrial Internet of Things (IIoT). It determines that the concepts in ISA/IEC 62443 such as risk assessment, zone and conduit partitioning and the system/component model can be applied to an IIoT IACS. The paper’s findings validate the endurance of ISA/IEC 62443 as OT continues to evolve.
So does another ISASecure paper , “The Case for ISA/IEC 62443 Security Level 2 as a Minimum for COTS Components.” The SL2 criteria outlined in ISA/IEC 62443 help strengthen the cybersecurity capabilities of commercial off-the-shelf (COTS) components to protect against the increasing number of intentional attacks targeting IACS. Recent news and trends have proven that, with so much on the line, organizations must openly share information concerning new threat scenarios and adopt globally relevant standards. Awareness and media mentions of the ISA/IEC 62443 standards are growing at a rate faster than ever before .
More organizations are adopting ISA/IEC 62443 requirements as they seek well-vetted, consensus-based strategies for protecting their systems, and governments are including these standards in public policies. Subject-matter experts in OT cybersecurity are also familiarizing themselves with a wide variety of use cases for ISA/IEC 62443. In 2024, OT cybersecurity is truly a team effort. This feature originally appeared in AUTOMATION 2024: 1st Annual OT Cybersecurity Trends Report.
