We have gathered three OT security professionals and asked them about two important regulations, IEC 62443 and ISO 27001 – what they are, what are the connections between them, and how to comply. Read on to find out.
IEC 62443 is a series of standards that set requirements for industrial automation and control systems (IACS) and related policies, procedures, security, and more. The main goal is to treat IACS-related vulnerabilities and facilitate the implementation of appropriate security measures to mitigate and prevent cyberattacks.
“The IEC 62443-3 standard is part of the bigger scope of the IEC standard that addresses the security requirements for industrial control systems, and it provides the guidelines for implementing security measures to protect the integrity, availability, and confidentiality of data. Several key topics are covered, including access control,” explains Eduardo Giancristofaro, Channel Development Manager (OT) at SSH Communications Security.
IEC 62443-3 specifically is the third part of the four-part-long series, and it covers:
Security technologies for IACS, such as various authentication technologies, access control technologies, encryption technologies, or monitoring and auditing tools
System security requirements and security levels, defining security requirements and levels for various IACS components, like human user identification and authentication, device identification and authentication, session-related controls, or auditing capabilities
As Toni Häkkänen, Chief Architect IT/OT, IT Strategy & Governance at UPM, points out: “The standard, when simplified, creates a sort of a cornerstone for your security setup that you can then communicate internally as well as externally – to your vendors for example. IEC62443-3 is the cornerstone for security features and functionalities.”
What is ISO 27001?
ISO 27001 is an international standard focusing on information security, information security management systems (ISMS), and requirements that ISMS should meet. For example, compared to the IEC 62443, the scope of ISO 27001 is much wider. The main goal is to help businesses identify, implement, and improve their information security and ISMS.
The standard also serves a more general purpose, targeting companies of all sizes in a wide variety of industries.
Thus, the requirements and guidance cover topics from the role of leadership or planning of information security to evaluating the performance of current practices and how to improve on them. And even though ISO 27001 includes a chapter talking about the context of organizations, how to understand the context, and then how to determine the scope, the standard itself doesn’t specify the importance or level of security required in various industries.
What are the connections and differences between IEC 62443 and ISO 27001?
Simply put: “ISO 27001 is a standard and framework for managing information security. [...] It is simply a way to handle information security risks against your information. IEC62443 is more of a way to ensure the continuity of your business operations in industrial environments. In both, information security is a big part of it all. So, they need to be compatible in the way they handle information security, but they cover a bit different spheres of influence,” says Jouni Hiltunen, Lead Technology Advisor, Enterprise & Cyber Security at Fujitsu Finland.
Important to point out is that both IEC 62443 and ISO 27001 are useful industry standards/regulations, and businesses that meet their requirements and pass an audit can get certified. However, neither of these is a law.
IEC 62443, ISO 27001, and industrial remote access: How to comply?
Toni Häkkänen points out that good recommendations on how to comply with these standards already exist. So, when you decide you want to become compliant (and certified), you can follow a set of recommended steps to thoroughly check your environment.
According to Toni, in many cases, businesses find out that they already are compliant or are very close to being compliant.
Jouni Hiltunen adds an important note: “Standards are not manuals. You can implement your security management system or your OT security system 100% compliant and applicable to the standard but still have a very high rate of security incidents and very high cost for your security. Standards are tools to ensure interoperability and compatibility and, in some cases, compliance with regulations. But first, you need to know what you need to be doing security-wise, then you can do it according to the standard.”
Comply with regulations & stay compliant with PrivX OT
PrivX OT is our Zero Trust secure access management solution that integrates with IT/OT systems, providing secure industrial access to modern and legacy OT targets in hybrid environments.
PrivX OT helps you stay compliant with regulations and laws applicable to remote access, automation, control system applications, and network and information systems, including ISA/IEC 62443, ISO 27001, NIS/NIS 2.0, and NIST.
We at SSH secure communications between systems, automated applications, and people. We strive to build future-proof and safe communications for businesses and organizations to grow safely in the digital world.