International Industrial CyberSecurity standards

The following is a collection of Industrial CyberSecurity Standards and de-facto standards relevant for organizations designing, developing, selecting, installing and operating digital manufacturing platforms. The selection was made on the basis of expert advisory and selections by researchers in their assessment of relevant State of the Art. Next to the standards, readers should also consider the works ongoing in standardization efforts

The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including, retail, manufacturing, healthcare, education, government, defense, and others. So, while the CIS Controls address the general practices that most organizations should take to secure their systems, some operational environments may present unique requirements not addressed by the CIS Controls.

The guidance on how to apply the security best practices found in CIS Controls. For each top-level CIS Control, there is a brief discussion of how to interpret and apply the CIS Control in such environments, along with any unique considerations or differences from common IT environments. The applicability or not of  specific Sub-Controls is addressed and additional steps needed in ICS environments are explained.

Publisher: ANSI, IEC, ISA - License: ANSI, IEC, ISA

See also:

The ISA/IEC 62443 standard specifies security capabilities for (industrial) control system components. Developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a framework to address and mitigate security vulnerabilities in industrial automation and control systems (IACSs). it is based upon the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure. Central is the application of IACS security zones and conduits (isolation & segmentation), which were introduced in 62443-1-1,

ISA-62443-4-2, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components, provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components, and software applications.

Based on the IACS system security requirements of ISA/IEC 62443‑3-3, System Security Requirements and Security Levels, 4-2 specifies security capabilities that enable a component to mitigate threats for a given security level without the assistance of compensating countermeasures.

ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, specifies process requirements for the secure development of products used in an IACS and defines a secure development life cycle for developing and maintaining secure products. The life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management, and product end of life.

ISA/IEC 62443-3-2, Security Risk Assessment, System Partitioning and Security Levels, is based on the understanding that IACS security is a matter of risk management. 3-2 will define a set of engineering measures to guide organizations through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.

By aligning the identified target security level with the required security level capabilities 3‑3, System Security Requirements and Security Levels it takes the earlier 1-1 standard a step further. 2-3, Patch Management in the IACS Environment addresses the installation of patches, also called software updates, software upgrades, firmware upgrades, service packs, hot fixes, basic input/output system updates, and other digital electronic program updates that resolve bug fixes, operability, reliability, and cybersecurity vulnerabilities. It covers many of the problems and industry concerns associated with IACS patch management for asset owners and IACS product suppliers. It also describes the effects poor patch management can have on the reliability and operability of an IACS.

ISO 27000 (or ISO27k) refers to a standard and a series of international standards (27001, 27002, ...) set up by the ISO (International Standards Organization) on information security management series (ISMS). The standard was initiated around 2005 and revised multiple times (2016, 2018) with the support of the different ISO member states representatives, people with an information security background and profession. 

The standard describes a norm to which organizations can organize themselves in order to properly manage information and information security. It sets out a series policies, defines the setup of a system to control and manage the policies. Today the standard is being referred to by many compliancy requirement regulations and setups such as the Network and Information Security Directive by the European Commission and the European Member States. 

The ISO 27000 series have been divised into multiple sub-standards

  • 27001 : This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard
  • 27002 : This is the 27000 series standard number of what was originally the ISO 17799 standard (which itself was formerly known as BS7799-1)
  • 27003 : guidance for the implementation of an ISMS (IS Management System) 
  • 27004 : measurement and metrics
  • 27005 : methodology independent ISO standard
  • 27006 : accreditation of organizations offering ISMS certification.
  • 27007 : ISMS auditing
  • 27032 : CyberSecurity
  • 27033 : Network Security

(* 27013 : Manufacturing)

The objective of the 27001 standard itself is to "provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization". The original standard was more oriented towards planning and organizing, the later versions more towards measuring and evaluating. 27002 is about controls and control mechanisms. 

Organizations can have their ISMS's or their ISO process certified, which can be needed for compliance reasons.  (public download)



These requirements establish a standard way of expressing the assurance requirements for Targets of Evaluation (TOEs). This part of ISO/IEC 15408 catalogues the set of assurance components, families and classes. This part of ISO/IEC 15408 also defines evaluation criteria for PPs (Protection Profile) and STs (Security Target) and presents evaluation assurance levels that define the predefined ISO/IEC 15408 scale for rating assurance for TOEs, which is called the Evaluation Assurance Levels (EALs). The audience for this part of ISO/IEC 15408 includes consumers, developers, and evaluators of secure IT products. Developers, who respond to actual or perceived consumer security requirements in constructing a TOE, reference this part of ISO/IEC 15408 when interpreting statements of assurance requirements and
determining assurance approaches of TOEs. (public download)