The most referenced document in the IEC 62443 cybersecurity series is IEC 62443-3-3, “System security requirements and security levels.” Jointly developed with ISA 99, it details technical control system requirements (SR) associated with seven foundational requirements (FR):
- Identification and authentication ensure only authorized users and devices can access the system.
- Use control defines what actions authorized users and devices can perform within the system.
- System integrity ensures system and components aren’t corrupted.
- Data confidentiality protects sensitive information from unauthorized disclosure.
- Restricted data flow controls the flow of information in the system and between different systems.
- Timely response to events makes sure the system can respond to security events.
- Resource availability guarantees the system and its resources are available to authorized users when needed.
Get your subscription to Control's tri-weekly newsletter.
IEC 62443-3-3 was issued in 2013 and defined the requirements for control system security levels. Though the standard is now more than a decade old, its foundational requirements shouldn’t change. Likewise, the zone and conduit model introduced by ISA-99 in 2007 and incorporated into the IEC 62443 series is widely accepted for developing and maintaining industrial control environments.
Most IT and IoT systems are also pushing to implement zero-trust protections. Their core requirements are:
Continuous verification: every access request, regardless of origin (inside or outside the network), must be explicitly verified and authorized.
Least privilege access: users and devices only have the absolute minimum permissions necessary to perform their required tasks.
Assume breach: users act as if it already occurred, and focus on containing the impact of any successful intrusion.
Zero trust is a fundamental shift in security philosophy that requires a change in mindset, and a commitment to continuous verification and least-privilege access. While zero trust isn't a specific legal requirement in all cases, it's becoming the de facto standard for federal cybersecurity. Its principles are likely to influence future regulations and best practices.
“Zero trust is a fundamental shift in security philosophy that requires a change in mindset, and a commitment to continuous verification and least-privilege access.”
Europe has two key pieces of cybersecurity legislation: NIS2 directive and the Cyber Resilience Act that reference the zero trust.
The National Institute of Standards and Technology (NIST) integrates zero trust as a core component of its comprehensive Cybersecurity Framework (CSF). Organizations can use the CSF as a general roadmap, and then leverage specific guidance in SP 800-207 to implement zero trust in their overall network. Another way to look at it is: CSF is the overall blueprint for your cybersecurity architecture, and zero trust is a critical security system you install within that architecture to protect your valuable assets.
Similarly, defense-in-depth cybersecurity strategy provides a foundation for zero trust. The multiple layers of security in a defense-in-depth strategy become the components that zero trust uses to enforce its "never trust, always verify" principle down to a zone of one device, one port and one application.
Defense-in-depth is about building multiple layers of security, while zero trust is about continuously verifying every access attempt. If you consider a zone of one element, as might be the case for an IoT or IIoT device providing an input via a SCADA or other control system, then IEC 62443’s seven foundational requirements not only support the principles of zero trust, but also provide solid recommendations about how to implement it.
