Enterprise Integration Standards for OT Systems ( ACS + IT )

The following describes how Key Enterprise Integration and Cybersecurity Standards for ACS and IT may be combined for systems that require expertise from both Control Systems (ACS) and Information Technology (IT).

If risk to personnel, major equipment, and the public is assessed as significant, the “design and sign” team should be led by a qualified ACS engineer. The level of IT support required will be determined by Project and/or Facilities Management. This may range from supplying IT specifications to providing detailed IT involvement in design, implementation, and support. Similarly, if the level of risk does not warrant ongoing ACS involvement, an IT specialist may lead the project with only specifications provided by ACS.

These Standards are listed alphabetically, according to the Standards body responsible for writing and maintaining these standards.

For more a more detailed discussion of how to combine relevant ACS anf IT standards, see the Cybersecurity Master Planning Guide for your industry (e.g., chemical industry) and Principal Role (e.g., Owner/Operator or Vendor). Standards in the User Guides are organized according to the Discipline (Professional Role) responsible for implementing that standard.

• ISA-95 Enterprise IT to Control System Integration.
  • ISA-95 addresses the exchange of data between Control Systems and Manufacturing Execution Systems (MES). This presentation gives an introduction.
• ISA-99 committee creates and maintains IEC/ISA-62443.
  For OT systems (combining ACS and IT expertise and standards, the following parts of IEC/ISA 62443 must be paired with IT standards such as ISO 27000 series, that may be complementary or even contradictary.

• 62443-2-1: Security program requirements for asset owners.
  
• 62443-3-2: Security risk assessment for system design
  
• 62443-3-3: System security requirements and security levels
  
• 62443-4-1: Secure product development lifecycle requirements
  

Note that while several manually-prepared "standards comparison tables", ISA consider that these "derivative documents" infringe on their copyrights. Although ISA is considering publishing their own comparison tables, this could take considerable time.

• ISO TC184 SC5 WG1 Enterprise Modelling and Architecture
• Supported by NIST (US National Institute of Standards & Technology)
• Coordinated with CEN TC310 WG1 (see above) under the "Brussels Agreement"
• ISO 15704 Enterprise Modelling and Architecture
  Requirements for enterprise-referencing architecture and methodologies.  This document includes and updates certain PERA concepts.
• ISO 15926 Defines an Enterprise Life Cycle Data Exchange standard which is coordinated with ISO 14224 in the Reference Domain, and ISO 18435 & 13374 in the Execution Environment.
• ISO 27000 consists of 14 parts. However the following have requirements that will require decisions to reconcile with IEC/ISA 62443 and ISA 95:
• ISO/IEC 27001 – Foundation for an Information Security Management System (ISMS).
  
• ISO/IEC 27002 – Best practices for selecting and implementing security controls.
  
• ISO/IEC 27017 – Security best practices for cloud computing environments.
  
• ISO/IEC 27032 – Cybersecurity guidance for securing networks and critical infrastructure
  
• ISO/IEC 27035-1 – A framework for managing cybersecurity incidents.
  
• ISO 55000 (Asset Management Systems) and ISA 108 (Configuration Management for Industrial Sensors and networks) both specify requirements for Assett Management of ACS devices and systems. These must be reconciled to implement a single system, or a decision taken to implement two different systems.
  • ISO 55000 provides an overview of asset management and asset management systems
  • ISO 55001 specifies requirements for an asset management system
  • ISO 55003 defines sector-specific, asset-specific or activity-specific technical requirements for an asset management system

MIMOSA - Machinery Information Management Open Systems Alliance
MIMOSA is a non-profit industry association, focused on enabling solutions leveraging supplier neutral, open standards, to establish an interoperable industrial ecosystem for Commercial Off The Shelf (COTS) solutions. It must be agreed whether MIMOSA standards should be implemented in both ACS and IT systems.

NIST Cybersecurity Framework
is a set of voluntary guidelines designed to help government organizations assess and improve their ability to prevent, detect, and respond to cybersecurity risks for critical infrastructure sectors. It has also been adopted across various private industries. While NIST is generally compatible with ISO 27000 series, some recommendations are potentially in conflict with ACS cybersecurity standards such as IEC/ISA 62443.