Now that they’re been around for more than a few years, many of the best-known cybersecurity standards and guidelines have been added to, updated and refreshed a few times. Here’s their present status.
Get your subscription to Control's tri-weekly newsletter.
ISA/IEC 62443—Several sections of the standard have been revamped or introduced recently. They include:
- 62443-2-1 that was published in August, and covers cybersecurity program policies, requirements and procedures for industrial automation and control system (IACS) asset owners;
- 62443-3-3 that revised its guidance on system security requirements and capabilities needed to construct an IACS that meets security levels targets, and shows users how to gauge their progress; and
- 62443-4-2 that further refined its cybersecurity requirements for components in control systems described in ISA-62443-3-3, as well as its emphasis on secure development lifecycles.
NIST Cybersecurity Framework (CSF) 2.0 and its supplementary resources were launched in February, following a multiyear update. It explicitly aims to help all organizations manage and reduce risk, not just those in its original target audience of critical infrastructure. CSF 2.0 also updated its core guidance, and created a suite of resources to help organizations achieve their cybersecurity goals, with added emphasis on governance and supply chains. In addition, NIST published its Special Publication (SP) 800-50r1 (Revision 1), “Building a cybersecurity and privacy learning program,” which provides updated guidance for developing and managing a robust cybersecurity and privacy learning program in the federal government.
EU NIS2—The European Union (EU) adopted Oct. 16 its first rules on implementing cybersecurity for critical entities and networks as part of its directive on measures for high, common cybersecurity levels across the EU. NIS2 Directive also details cybersecurity risk-management measures, and when an incident should be considered significant to be reported to national authorities.
