ISA ISA-IEC-62443 - ISA/IEC 62443 Cybersecurity Fundamentals Specialist

ISA/IEC 62443 defines Security Level vectors to express Target Security Levels across the seven Foundational Requirements (FRs).

Step 1: SL-T definition

SL-T represents the Target Security Level determined from risk assessment.

Step 2: Vector meaning

Each number in the vector corresponds to the required SL for a specific FR (IAC, UC, SI, DC, RDF, TRE, RA).

Step 3: Zone-specific application

The vector is applied to a defined zone (e.g., BPCS), allowing granular security specification.

Thus, the vector represents SL values for a specific zone’s foundational requirements.

API 1164 is an industry sector-specific standard that provides guidance on the cybersecurity of pipeline supervisory control and data acquisition (SCADA) systems. API stands for American Petroleum Institute, which is the largest U.S. trade association for the oil and natural gas industry. API 1164 was first published in 2004 and revised in 2009 and 2021. The latest version of the standard aligns with the ISA/IEC 62443 series of standards and incorporates the concepts of security levels, zones, and conduits. API 1164 covers the security lifecycle of pipeline SCADA systems, from risk assessment and policy development to implementation and maintenance. The standard also defines roles and responsibilities, security requirements, security controls, and security assessment methods for pipeline SCADA systems.

ISA/IEC 62443 clearly distinguishes roles to assign cybersecurity responsibilities across the IACS lifecycle. A company that designs and manufactures embedded devices and network components—such as PLCs, RTUs, switches, or control software—but does not install or operate them is classified as a Product Supplier.

Step 1: Definition of a Product Supplier

Within ISA/IEC 62443 (notably Parts 4-1 and 4-2), a product supplier is the entity responsible for developing and delivering IACS products. Their responsibilities include secure product development, vulnerability handling, patch creation, and providing security-related product documentation.

Step 2: Exclusion of operational roles

Because the company does not perform on-site installation, commissioning, operation, or maintenance, it does not qualify as an integration or maintenance service provider. It also does not own or operate the system, so it is not an asset owner.

Step 3: Security responsibility alignment

ISA/IEC 62443-4-1 assigns product suppliers responsibility for secure development lifecycle practices, while 4-2 defines the technical security capabilities the products must support.

Therefore, the correct role is Product supplier.

Packet filter firewalls, as defined by ISA/IEC 62443 standards on cybersecurity, primarily examine the source, destination, and ports in the header of each packet. This type of firewall does not inspect the packet content deeply (such as its structure or sequence) or maintain awareness of the relationships between packets in a session. Instead, it operates at a more superficial level, filtering packets based solely on IP addresses and TCP/UDP ports. This approach allows packet filter firewalls to quickly process and either accept or block packets based on these predefined criteria without delving into the complexities of session management or the content of the packets up to the application layer.

The application layer is the topmost layer of the OSI model, which provides the interface between the user and the network. It includes protocols specific to network applications such as email, file transfer, and reading data registers in a PLC. These protocols deliver and format information, possibly with encryption and security, to ensure reliable and meaningful communication between different applications. The application layer does not include user applications, which are separate from the network protocols. The application layer also does not provide the mechanism for opening, closing, and managing a session between end-user application processes, which is the function of the session layer. References:

ISA/IEC 62443 Cybersecurity Fundamentals Specialist Study Guide, page 181

Using the ISA/IEC 62443 Standards to Secure Your Control System, page 82

The application layer in network protocols, such as in the OSI model or the TCP/IP protocol suite, is primarily responsible for providing services directly to user applications. This layer is involved in:

Option A: Including protocols specific to network applications such as email, file transfer, and industrial protocols like reading data registers in a Programmable Logic Controller (PLC). This is a core function of the application layer as it facilitates specific high-level networking capabilities.

Option D: Delivering and formatting information, which can include encryption and ensuring the security of data as it is transmitted across the network. This includes protocols like HTTP for web browsing which can encrypt data via HTTPS, SMTP for secure email transmission, and FTP for secure file transfer.

IT systems and IACS have different security priorities, requirements, and challenges. According to the ISA/IEC 62443 standards, the security priority for IT systems is confidentiality, which means protecting the data from unauthorized access or disclosure. The security priority for IACS is integrity, which means ensuring the accuracy and consistency of the data and the functionality of the system. A loss of integrity in an IACS can have severe consequences, such as physical damage, environmental harm, or human injury. Therefore, IACS cybersecurity must address safety issues, which are not typically considered in IT security. Safety is the ability of the system to prevent or mitigate hazardous events that can cause harm to people, property, or the environment. The ISA/IEC 62443 standards provide guidance and best practices for ensuring the safety and security of IACS, as well as the availability and reliability of the system. Availability is the ability of the system to perform its intended function when required, and reliability is the ability of the system to perform its intended function without failure. These properties are also important for IT systems, but they may have different trade-offs and implications for IACS. For example, an IACS may have stricter performance and availability requirements than an IT system, as a delay or disruption in the IACS operation can affect the industrial process and its outcomes. Additionally, an IACS may have longer equipment lifetimes and less frequent maintenance windows than an IT system, which can make patching and updating more difficult and risky. Furthermore, an IACS may use different technologies and architectures than an IT system, such as legacy devices, proprietary protocols, or specialized hardware. These factors can create compatibility and interoperability issues, as well as increase the attack surface and complexity of the IACS. Therefore, IT security solutions and practices may not be sufficient or suitable for IACS, and they may need to be adapted or supplemented by IACS-specific security measures. The ISA/IEC 62443 standards address these differences and provide a comprehensive framework for securing IACS throughout their lifecycle.

ISA/IEC 62443 is officially listed as an Informative Reference in the NIST Cybersecurity Framework (CSF). Informative References provide detailed guidance to help organizations implement the CSF's functions, categories, and subcategories.

“ISA/IEC 62443 is included in the NIST CSF Informative References to help apply risk-based cybersecurity practices to industrial control systems.”

— NIST CSF Informative Reference Catalog, Section: PR.IP and ID.RA

ISA/IEC 62443 aligns well with CSF categories such as Protect (PR) and Identify (ID), especially for operational technology environments.

A key distinguishing factor between IT (Information Technology) and IACS (Industrial Automation and Control Systems) environments is the **requirement for cybersecurity to consider safety in IACS systems.

From ISA/IEC 62443-1-1, Clause 4.3:

“In contrast to traditional IT environments, where the primary concern is confidentiality, the primary concerns in IACS environments are often availability, integrity, and most critically — safety.”

Any cybersecurity failure in IACS environments can result in physical consequences, such as equipment damage, environmental harm, or loss of human life — making safety a critical consideration.

Incorrect Options:

A. Integrity is important, but availability and safety are usually higher priorities.

B. IT prioritizes confidentiality, not availability.

D. Routers are indeed used in IACS networks, often hardened or industrial-grade.

The ISA99 Committee (which develops the ISA/IEC 62443 series) clearly outlines four key consequences of compromising an Industrial Automation and Control System (IACS):

Endangerment of public or employee safety

Loss of public confidence

Violation of regulatory requirements

Loss of proprietary or confidential information

Economic and operational losses

“Increased product sales” is not listed — in fact, a compromise would likely result in the opposite, such as brand damage and loss of customer trust.

“The scope of the ISA99 Committee includes addressing risks such as the endangerment of public safety, loss of information, and economic harm arising from cyber incidents affecting IACS.”

— ISA/IEC 62443-1-1:2007, Clause 1 – Scope and Purpose

Transport Layer Security (TLS) is the primary cryptographic protocol used to secure web-based communications such as HTTPS in web browsers.

From ISA/IEC 62443-3-3 (System Security Requirements and Security Levels), Annex B:

“TLS provides confidentiality, integrity, and authentication for communications over untrusted networks. It is commonly used to secure HTTPS, SMTP, and other application protocols.”

TLS superseded SSL and is the backbone of secure data transmission over the Internet.

Incorrect Options:

B. L2TP – Used for VPNs; not typically browser-related.

C. PPTP – An older VPN protocol, not used for browser encryption.

D. IPsec – Used to secure IP traffic at the network layer; not directly used in browser-based communication.