Why Choose TiPS?

LogMate is the most reliable, proven software solution since 1990

    • Leadership Participation in Alarm Standards Committees
    • Dedicated Alarm Management Focus
    • Comprehensive Alarm Management Software Solutions
    • Adaptable Services Model
    • Flexible and Extensive Software Connectivity Portfolio
    • Broad Industry Experience

Introduction to Alarm Management

John Cusimano

Are you thinking, “I no longer need ISA/IEC 62443, now that NIST has issued the Cybersecurity Framework”? Well stop right there, because that’s actually not the case. The National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF for short, does not replace standard 62443. Your next question may be, “So how are they different?”

ISA/IEC 62443 is a set of standards for industrial cybersecurity designed to prevent or mitigate cybersecurity attacks, while the NIST CSF is an overarching document that addresses cybersecurity (both IT & OT) for any of the US Government’s 16 critical infrastructure sectors. Issued on February 12, 2014, it is a direct result of Presidential Executive Order 13636, which calls for the development of a voluntary risk-based Cybersecurity Framework to help organizations manage cybersecurity risks.

So just what do ISA/IEC 62443 and the NIST CSF have to do with each other? The NIST CSF serves as a reference to guide organizations and direct them to the appropriate standards (i.e., 62443) where they can get the detailed information they need to implement a cybersecurity program. One of the fundamental concepts introduced in the CSF is the Framework core, which defines 5 main functions – Identify, Protect, Detect, Respond and Recover. These five functions are the starting point of the road that leads to ISA/IEC 62443. But before I continue, I’d like to tell you a story.

About 5 years ago, after spending a couple years sorting through the plethora of available information regarding ICS cybersecurity, I developed a 7 step model to help organize and simplify the core activities that organizations should take in order to security their control systems.  I called it “The 7 Steps to ICS Cybersecurity” and co-authored a whitepaper with Eric Byres by that name.  We received a lot of praise for our effort to “dumb down” the complexity of all the available information and provide a roadmap to help organizations get started.  It certainly seemed to be a big improvement over the previously published “21 Steps to Improve Cyber Security of SCADA Networks” published by DOE. 

Not to be outdone, about a year later two gentlemen from Emerson published an article in InTech magazine called the “6 Steps to ICS Cybersecurity”. No complaints from me – simpler is better and it’s a very good article. 

So, when I first saw the Framework, and the 5 function model, I was thrilled. It is straightforward and makes sense. Before you can do anything else you must first Identify your critical assets and assess the risk. Once you’ve done that then you can put measures in place to Protect those assets. Many organizations used to stop there, but the Framework emphasizes the importance of providing means to Detect when something is wrong and to have plans in place to Respond to, and Recover, from the inevitable incidents that may occur.  

Each of these 5 functions are divided into categories, which are then further divided into sub-categories. Each sub-category references existing standards that provide the detailed requirements an organization needs to satisfy the intent of the sub-category. Since the NIST CSF applies to many different sectors, a number of standards are referenced, but the one that applies to OT is ISA/IEC 62443.

Why is this relevant? If you’re in Automation, following good engineering practices is something you care about. (Or something you should care about.) IEC/ISA 62443 is a good engineering practice, whereas the NIST CSF provides structure and a common language that organizations can use to organize and measure their cybersecurity programs. ISA 62443 and the NIST CSF truly complement each other.

Getting ahead of the curve and staying ahead of the bad guys in cybersecurity is all a part of your job as an automation engineer. To hone these skills and develop your cybersecurity fundamentals, ISA offers three courses in cybersecurity. If no classes are available in your area, aeSolutions can take training to you. Click here for more information on ISA cybersecurity courses available in your area. Click here for more information on cybersecurity training by aeSolutions.