This ISA Global Cybersecurity Alliance webinar, Leveraging ISA 62443-3-2 For Risk Assessment and Related Strategies, provides a rationale for why risk assessments are necessary for industries that employ industrial automated control systems (IACS) and why the resulting operational technology (OT) is different than information technology (IT).
The ANSI/ISA 62443 series of automation and control systems cybersecurity standards, which were developed primarily by ISA, have been adopted by the International Electrotechnical Commission as IEC 62443 and endorsed by the United Nations. The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. The standards approach the cybersecurity challenge holistically, bridging the gap between operations and information technology.
ANSI/ISA 62443-3-2, Security for industrial automation and control systems, Part 3-2: Security risk assessment for system design is used to provide a framework for the risk assessment work process, and this framework is integrated with more traditional risk assessments of processes and equipment. Using this framework, practical guidance is provided that deals with information needed to perform initial and detailed level cyber risk assessments, typical team members, types of methodologies available, as well as expected deliverables from the cyber risk assessment in the form of a cybersecurity requirements specification.
To assess the cyber risk, threats and vulnerabilities are explained and an example of risk assessment criteria is provided to assist the determination of whether existing countermeasures are sufficient or whether recommendations to accomplish additional risk reduction are necessary.
The webinar explains how risk assessment fits into a facilities lifecycle. This includes green field capital projects, brown field sites performing cyber risk assessment for the first time and revalidation of prior risk assessments.
- Gain a better understanding of ISA/IEC 62443 standards series
- Examine threats and vulnerabilities associated with cyber risk
- Understand why risk assessment needs to be part of the facility lifecycle
Thomas is a self-employed consultant at HWT Consulting LLC. He is formerly a process safety engineering associate at Air Products for over 36 years. He received a Bachelor of Science in mechanical engineering from Bucknell University, is a registered professional engineer in Pennsylvania, and is a certified functional safety expert (CFSE). Prior to becoming a process safety engineer and being involved in cybersecurity for control systems, he was a process control engineer. He has participated in several industry initiatives involving the Center for Chemical Process Safety (CCPS), ISA 84 and ISA 99. He currently participates in ISA 84 technical report working groups and co-chairs WG9 responsible for TR84.00.09, Cybersecurity Related to the Safety Lifecycle, as well as participating in a number of ISA 99 working groups, and co-chairing WG7, which is intended to address the intersection of security and safety. During his career, he has authored and co-authored a number of papers dealing with aspects of risk assessment, including cybersecurity.