ISA/IEC 62443 provides a powerful tool to reduce the risk of financial, reputational, human, and environmental impact from cyber-attacks on Industrial Automation and Control Systems (IACS).
However, since it is a “horizontal standard”, 62443 is meant to address a wide range of industries,
and any specific company is likely to find that while most of the standard applies to their IACS, parts of it may not. For example, some “normative requirements” that are appropriate for an interstate pipeline, may not be relevant to a chemical plant or a discrete manufacturing facility.
There are also obvious differences between a large-scale corporation with many sites and thousands of employees, and a small company with a few dozen staff.
It is therefore recommended that each company establishes their own Industrial Automation and Control Systems (IACS) Cybersecurity Program to manage these cybersecurity risks. ISA/IEC 62443 2-1 provides guidance on how to establish a Security Program for IACS asset owners. This process might look like the following.