Frameworks - Which one to choose?

Written By Jelle Verbeeck

Many frameworks regarding Cybersecurity serve their purpose, giving you guidelines to secure your environment.

There are a lot of similarities between the different frameworks. Actually, there are more similarities than there are differences. However, the details make one standard more suitable for your organisation than another.

In this blog post, we will give a top level view on the differences and help you select the framework best suited to your needs.

Overview

The Standards and frameworks that we will compare in this article are

  • ISA/IEC 62443

  • ISO 27001

  • NIST 800-53 rev. 5

Sources

  • https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards

  • https://www.iso.org/isoiec-27001-information-security.html

  • https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/

Frameworks

ISA/IEC 62443

The ISA/IEC 62443 series of standards are developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC). The main focus for this workgroup is to provide a flexible cybersecurity framework for existing and new industrial automation and control systems. Within this workgroup, there are a lot of automation experts from around the globe that offer their knowledge to address and mitigate security issues and vulnerabilities. (yours truly being one them)

The framework focusses on four main domains:

  • General: Focus here is on corporate level. handeling the concepts, system conformance metrics, security lifecycle and the master glossary and abbreviations. Responsability here is for the asset owner.

  • Policies & procedures: Policies and procedures handle the security program requirements and the protection levels. You can find guidance for asset owners, patch management and requirements for IACS service providers. This domain also falls under the responsability of the asset owner.

  • System: Security Technologies for IACS, Security Risk Assessment and system design, System Security requirements and security levels. Based on the expectations of the asset owner, these elements fall under the responsability of the system integrator.

  • Component: requirements for the secure development and the technical security elements of IACS components. This area falls under the responsability of the supplier of IACS components.

As you can see the main focus here are IACS systems and not so much the IT components. The reason is that IT security frameworks are focussed on the CIA triad (Confidentiality, Integrity and Availability) where in IACS environments physical safety preceeds confidentiality.

Imagine an operator that can't close or open a valve in a critical scenario because he entered the wrong password.....

However, in ISA/IEC 62443 they don't shy other frameworks as they recognise that they have their added value in securing the entire environment. (with the sidenote that they can't interfere with physical security risks)

ISO 27001

Maybe the most known standard present in this list is ISO 27001. It is centralised around the principle of Confidentiality, Integrity and Availability (CIA) of information. And here we find a crucial difference with the IEC/ISA 62443 standard. ISO puts confidentiality more on the forefront whereas the IEC standard focuses more on safety than data and confidentiality.

Sure they are present in both but the difference is the main focus.

Iso 27001 focuses on 14 main domains:

  • Information Security Policies

  • Access Controls

  • Communications Security

  • Business Continuity management

  • Compliance

  • System Acquisition & Development

  • Cryptography

  • The organisation of information security

  • Human Resources Security

  • Physical and environmental security

  • Supplier relationship

  • Operations Security

  • Incident Management

  • Asset Management

Areas with significant differences vs ISA 62443 can be found in the definitions and identification of the business environment:

Business Environment (ID.BE): The organisation’s mission, objectives, stakeholders, and activities are understood and prioritised; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

NIST SP 800-53 rev.5

The NIST SP 800-53 framework offers more than 1100 (1189 as of revision 5) controls to assess the security of your environment.

But NIST is more than just checklists to assess security and privacy controls but is more a guideline to check implemented security controls to evaluate their effectiveness of those implemented controls.

The 5 area's that the NIST Framework focuses on are:

  • Identify

  • Protect

  • Detect

  • Respond

  • Recover

These area's make the NIST Cybersecurity Framework easily understandable.
There are more controls in the NIST framework than you can find in ISO 27001.

Check the mapping of NIST against ISO: https://csrc.nist.gov/CSRC/media/Publications/sp/800-53/rev-5/final/documents/sp800-53r5-to-iso-27001-mapping.docx
which can be found on the NIST website.

Conclusion

If your organisation is an "industrial" player and you have OT technologies like PLCs, SCADA, and the like, then I would recommend ISA/IEC 62443.

If you are in an activity domain where official certification (ISO 9001, ISO 27001, ...) is required, go for ISO27001. Are your activities not Industry related, and aren't you required to follow official certification? I would advise using the NIST 800-53 rev5 framework.

Still not sure, if you would like someone independent to look at your environment and the policies, procedures, and architectures in place. Reach out and have a look at https://www.walnut-tree-consulting.com

Jelle Verbeeck
Next

Vulnerability Scanning - A must