ISO-27001, ISA/IEC-62443, and NIST CSF: Choosing the appropriate framework/standard for your OT cybersecurity program

C1ph3r
4 min readJan 21, 2023

--

You need a set of standardized risk mitigating measures that are produced via the joint efforts of regulatory institutions, industry groups, governmental agencies, and tech-experts if you want to implement a cybersecurity program in a methodical manner.
Organizations can reduce risks to a manageable level with the use of one or more clearly defined procedures. They can also monitor their progress, identify any gaps between the present and desired security levels, and enhance the overall effectiveness of their security system.

ISA/IEC 62443, the NIST Cybersecurity Framework, and ISO-27001 are a few of the commonly used international standards that offer a complete how-to and are 100% effective in protecting IT and OT systems.

ISA/IEC 62443

ISA/IEC 62443 deviates from the controls defined in NIST CSF to delve deeper into the specificity of the application process.
ISA/IEC 62443 is a set of standards that provides a framework for managing and securing OT systems, as well as monitoring and preventing future attacks.
It enables organizations to identify and track their asset inventory, zone assets with similar security requirements, and define conduits for establishing a secure communication channel within and between these zones.
The zones are then evaluated further to determine the level of risk they face, and security levels are assigned to them.
Controls are chosen and implemented in accordance with the zones’ established security levels.

ISO-27001

The ISO standards for information security management.
ISO-27001 has evolved into one of the most comprehensive standards for defining the guidelines and requirements for implementing an information security management system.
The ISO-27001 standard, which focuses on information security, enables organizations to address and prioritize their confidentiality, integrity, and availability requirements.
At its core is a plan-do-check-act cycle, also known as the PDCA cycle, which derives from quality assurance in manufacturing environments.

PDCA Cycle

The Four Phases of the PDCA Cycle

Plan

First, identify and comprehend your issue or opportunity.
Perhaps the quality of a finished product isn’t high enough, or an aspect of your marketing process could be improved. Investigate all of the available information. Develop a solid implementation plan after generating and screening ideas. Make your success criteria as specific and measurable as possible.
You’ll come back to them later on in the Check stage.

Do

Once you’ve identified a potential solution, put it to the test in a small-scale pilot project.
This will demonstrate whether your proposed changes achieve the desired result — with minimal disruption to the rest of your operation if they do not.
For example, you could organize a trial within a department, in a specific geographical area, or with a specific demographic. As you run the pilot project, collect data to determine whether the change was successful or not. This will be useful in the next stage.

Check

Then, compare the results of your pilot project to the criteria you established in Step 1 to determine whether your idea was a success.

If it wasn’t, go back to Step 1.
If it was, proceed to Step 4.

You may decide to experiment with additional changes and repeat the Do and Check phases.
However, if your original plan is clearly not working, you must return to Step 1.

Act

This is where you put your solution into action.
However, keep in mind that PDCA/PDSA is a loop, not a process with a beginning and an end.
Your improved process or product becomes the new baseline, but you keep looking for ways to improve it.

In general, the technological nature and scope of IT and OT systems differ.
As a result, the security treatment of an OT system must be tailored to its specific requirements.
Because many of the controls used to manage the security of IT systems are inapplicable to OT systems, a different set of industry standards is required to meet the safety requirements and mitigate the risks.
NIST CSF and ISA/IEC 62443 are specifically designed to provide guidelines for industrial automation and control system security.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) gives asset owners a general direction for securing OT systems.
It is fundamentally designed to assist organizations in streamlining required actions, defining and prioritizing security levels for current and potential risks, and managing budgets accordingly.
The NIST CSF generally directs its users toward implementing cybersecurity controls in accordance with its five core framework functions.

NIST CSF

Among the numerous NIST standards, NIST 800–53 and NIST 800–82 are noteworthy.
NIST 800–53 is used to provide privacy and security controls for information systems, whereas NIST 800–82 is used to manage the cybersecurity requirements of OT systems.
NIST 800–82 allows organizations to tailor some of the controls in NIST 800–53 via a ‘overlay’ to meet OT-specific requirements.
The NIST’s documented guidelines provide a detailed overview of all of these standards’ security capabilities.

Which standards/combinations are most popular?

Responses from various industrial verticals revealed an interesting combination of OT Cybersecurity standards in a SANS survey titled “SANS ICS/OT survey 2021,” with NIST CSF, ISA/IEC-62443, NIST 800–53, NIST 800–82, and ISO 27001 being the top 5 standards that the control systems are mapped to.
A few industry-specific (NERC CIP) and locality-specific (NIS Directive, Qatar ICS security standard) standards can also be found.

SANS ICS/OT survey 2021
SANS ICS/OT survey 2021

--

--

No responses yet