Executive Summary
The ISA/IEC 62443 series of standards provides a comprehensive framework for securing Industrial Automation and Control Systems (IACS). As chemical plants integrate advanced technologies like machine learning-based control, ensuring these systems meet cybersecurity requirements is essential.
This document describes how Acaysia's design, development, and deployment practices align with ISA/IEC 62443 requirements, helping asset owners maintain security posture while gaining operational benefits.
Understanding ISA/IEC 62443
ISA/IEC 62443 is organized into four series addressing different stakeholders:
| Series | Focus | Primary Audience |
|---|---|---|
| 62443-1-x | General concepts, models, terminology | All stakeholders |
| 62443-2-x | Policies and procedures | Asset owners, operators |
| 62443-3-x | System security requirements | System integrators |
| 62443-4-x | Component security requirements | Product suppliers |
Security Levels
ISA/IEC 62443 defines four Security Levels (SL) based on threat sophistication:
- SL 1: Protection against casual or coincidental violation
- SL 2: Protection against intentional violation using simple means
- SL 3: Protection against sophisticated attack with moderate resources
- SL 4: Protection against state-sponsored attack with extensive resources
Acaysia is designed to support deployments up to SL 3, with customer-specific hardening available for SL 4 requirements.
62443-4-1: Secure Product Development Lifecycle
This standard specifies requirements for secure development of products used in IACS. Acaysia's development practices address all requirement areas:
Security Management (SM)
- Dedicated security team with defined responsibilities
- Security requirements tracked throughout development
- Regular security training for all developers
- Third-party penetration testing annually
Security Requirements Specification (SR)
- Threat modeling performed for all new features
- Security requirements derived from threat analysis
- Customer security requirements incorporated
- Security acceptance criteria defined for each release
Secure by Design (SD)
- Defense-in-depth architecture
- Principle of least privilege throughout
- Secure defaults in all configurations
- Attack surface minimization
Secure Implementation (SI)
- Secure coding standards enforced via automation
- Static analysis in CI/CD pipeline
- Mandatory code review for all changes
- Dependency scanning and management
Security Verification & Validation (SVV)
- Automated security testing in CI/CD
- Dynamic application security testing (DAST)
- Fuzz testing of all external interfaces
- Penetration testing before major releases
Defect Management (DM)
- Vulnerability disclosure program
- CVE tracking and response procedures
- Security patch SLAs: Critical (24h), High (7d), Medium (30d)
- Customer notification process for security issues
Patch Management (PM)
- Regular security update releases
- Backward compatibility maintained where possible
- Clear documentation for all security updates
- Support for customer testing before deployment
Security Guidelines Documentation (SG)
- Hardening guide for secure deployment
- Security architecture documentation
- Integration guidelines for secure configuration
- Incident response procedures
62443-4-2: Component Security Requirements
This standard specifies technical security requirements for IACS components. Here's how Acaysia addresses each Foundational Requirement (FR):
FR 1: Identification and Authentication Control
| Requirement | Acaysia Implementation |
|---|---|
| Human user identification | Unique user accounts with strong password requirements |
| Software process identification | API keys and certificates for machine-to-machine auth |
| Device identification | Hardware-based device identity with TPM support |
| Multi-factor authentication | MFA required for administrative access |
FR 2: Use Control
| Requirement | Acaysia Implementation |
|---|---|
| Authorization enforcement | Role-based access control (RBAC) with fine-grained permissions |
| Wireless use control | No wireless interfaces on edge devices |
| Portable device control | USB ports disabled by default |
| Session lock | Automatic session timeout, manual lock capability |
FR 3: System Integrity
| Requirement | Acaysia Implementation |
|---|---|
| Communication integrity | TLS 1.3 for all network communications |
| Malware protection | Read-only root filesystem, application allowlisting |
| Security functionality verification | Boot-time integrity verification |
| Software update authenticity | Signed updates with cryptographic verification |
FR 4: Data Confidentiality
| Requirement | Acaysia Implementation |
|---|---|
| Information confidentiality | AES-256 encryption for data at rest |
| Cryptography usage | NIST-approved algorithms, HSM for key storage |
| Communication confidentiality | TLS 1.3 encryption for data in transit |
FR 5: Restricted Data Flow
| Requirement | Acaysia Implementation |
|---|---|
| Network segmentation | Supports deployment in DMZ architecture |
| Zone boundary protection | Minimal required ports, configurable firewall rules |
| Control of portable media | Removable media disabled by default |
FR 6: Timely Response to Events
| Requirement | Acaysia Implementation |
|---|---|
| Audit log accessibility | Syslog export, API access to audit data |
| Continuous monitoring | Real-time security event monitoring |
| Audit log retention | Configurable retention, export to external systems |
FR 7: Resource Availability
| Requirement | Acaysia Implementation |
|---|---|
| Denial of service protection | Rate limiting, resource quotas |
| Resource management | Process isolation, memory limits |
| System backup | Automated configuration backup |
| Emergency power | Graceful shutdown on power loss |
Network Architecture Recommendations
Acaysia is designed to integrate into defense-in-depth network architectures compliant with ISA/IEC 62443-3-3.
Recommended Deployment Architecture
┌─────────────────────────────────────────────────────────────────┐
│ ENTERPRISE ZONE (Level 4-5) │
│ ┌──────────────┐ │
│ │ Acaysia Cloud│ ◄─── HTTPS (TLS 1.3) │
│ │ (Analytics) │ │
│ └──────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
┌─────────┴─────────┐
│ FIREWALL/DMZ │
└─────────┬─────────┘
│
┌─────────────────────────────────────────────────────────────────┐
│ OPERATIONS ZONE (Level 3) │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ HMI/ │ │ Acaysia │ │
│ │ SCADA │◄────►│ Edge Device │ │
│ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
┌─────────┴─────────┐
│ FIREWALL │
└─────────┬─────────┘
│
┌─────────────────────────────────────────────────────────────────┐
│ CONTROL ZONE (Level 1-2) │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ PLC │◄────►│ I/O & │ │
│ │ │ │ Sensors │ │
│ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Network Requirements
| Connection | Protocol | Port | Direction |
|---|---|---|---|
| Edge to PLC | OPC UA / EtherNet/IP | 4840 / 44818 | Outbound from Edge |
| Edge to Cloud | HTTPS | 443 | Outbound from Edge |
| Dashboard access | HTTPS | 443 | Inbound to Edge |
Compliance Documentation
Acaysia provides documentation to support customer compliance efforts:
Available Documents
- Security Hardening Guide: Step-by-step secure configuration
- Architecture Document: Security architecture and data flows
- Penetration Test Summary: Results from third-party testing
- Vulnerability Disclosure Policy: Process for reporting issues
- Incident Response Plan: Procedures for security events
- Third-Party Component List: Dependencies and versions (SBOM)
Compliance Support
Our team can assist with:
- Security assessments during pre-deployment
- Integration with existing security infrastructure
- Custom hardening for specific requirements
- Audit preparation and documentation
- Incident response coordination
Ongoing Security
Compliance is not a one-time achievement but an ongoing process. Acaysia supports continuous security through:
Regular Updates
- Monthly security patches for non-critical issues
- Emergency patches for critical vulnerabilities
- Quarterly feature releases with security improvements
- Annual major version updates
Monitoring and Response
- 24/7 security monitoring of Acaysia infrastructure
- Threat intelligence integration
- Coordinated vulnerability disclosure
- Customer notification within 24 hours of confirmed vulnerabilities
Customer Responsibilities
Asset owners should maintain:
- Timely application of security patches
- Network segmentation as recommended
- User account management (provisioning/deprovisioning)
- Monitoring of security logs and alerts
- Regular backup of configuration
Conclusion
Acaysia is designed and developed with industrial cybersecurity as a core requirement, not an afterthought. Our alignment with ISA/IEC 62443 demonstrates commitment to:
- Secure product development practices
- Technical security controls appropriate for industrial environments
- Support for customer compliance requirements
- Ongoing security maintenance and improvement
We partner with customers to ensure that the benefits of advanced process control are achieved without compromising cybersecurity posture.