Cybersecurity: Making the Most of Regulatory Standards
June 16, 2022
What are the ISA/IEC 62443 standards? Can they help us? And how are they positioned in the fight against cyberattacks? These are the questions that were going through my mind when I started to write this blog.
Previously we recognized how the pandemic brought Operational technology (OT) and Information technology (IT) closer together and discussed the inevitable increase in risk from cyberattack. We looked at ways to mitigate it through combat against social engineering. With regulatory compliance being such an important aspect of the biopharmaceutical industry, I now want us to take a brief look at regulatory standard ISA/IEC 62443 and see how it has become a best standard of practise in allowing us to fully understand and mitigate cyber risks as OT and IT integrate.
International Electrotechnical Commission (IEC) 1
is the world’s leading organization for the preparation and publication of international standards for all electrical, electronic, and related technologies. These are known collectively as “electrotechnology”.
International Society of Automation (ISA)2
The ISA99 committee addresses industrial automation and control systems whose compromise could result in any, or all, of the following situations:
- endangerment of public or employee safety
- loss of public confidence
- violation of regulatory requirements
- loss of proprietary or confidential information
- economic loss
- impact on national security
Regulatory Bodies and the Need to Build a Regulatory Program
In the life science industry specifically, there are organizations in place to regulate the development, production, and life cycle of products coming to market, to ensure our safety and the efficacy of the approved product.
One of the most obvious examples of a regulatory organization is the Food and Drug Administration (FDA). The FDA provides guidance documents that lay out requirements the organizations must follow in order to meet the current published federal policies. In recent years, the FDA has accepted a series of standards, such as those developed by the IEC, to help companies build their regulatory programs. These standards help teams to have a clear and defined ‘rule book’ to follow, whereas in some cases the guidance provided by the regulatory agencies may be more generic.
It is essential for each manufacturer to take the necessary steps to build their own regulatory program within their facility, using the provided guidance of the relevant regulatory organizations. The creation of a regulatory program doesn’t have to be unduly complex, but the content will be vast. The program content should be designed based on specific regulatory references like the FDA, identifying those references as the standard; it should also define how the product will be manufactured and how it will be maintained after it gets to market. In summary, a regulatory program sets out to identify the life of the product, from beginning to end, while keeping within the regulatory boundaries of the identified agency. It is essentially developed to create a process that catches quality mistakes prior to release and ultimately prevents those quality mistakes from happening in the first place.
Automation, IT, and 62443
In the biotech industry, there are so many different groups/departments within a manufacturing company that will ‘touch’ a product in some way before it leaves a facility. As such, for the automation and IT groups, it is essential to have the controls and security in place to meet the federal requirements to have absolute assurance of quality and integrity of what is being created.
Many automation and IT teams are following the ISA/IEC 62443 series of standards, that are currently recognized by the FDA, to secure industrial automation and control systems (IACS) throughout their lifecycle. This series includes methods for mitigating cyber-attacks, assessing current system security risk, patch management and much more. ISA/IEC 62443 lays out the fundamental ways to protect systems from security breaches while also assessing risk.
Full understanding of risk and conducting effective risk assessments is one of the biggest challenges for the automation and IT teams. By assessing a systems security risk, these teams can unite to develop strategies to keep the identified risk areas safe and create methods for mitigation should an attack occur. The importance of having a well-developed standard to follow, with a proven methodology that works and is accepted by a regulatory body, can play an essential part in keeping the public safe. This is the primary goal for any regulatory organization.
Creating a robust regulatory program focused on cybersecurity, as automated equipment connects with the world of Information Technology, is a great task. A task lightened by making the most of the ISA/IEC 62443 standards.
1. “iec.ch/who-we-are”, International Electrotechnical Commission, accessed May 4, 2022,
2. “isa.org/standards-and-publications, accessed May 4, 2022,
Kate Green, Automation Engineer, Research and Development
- Sort By