IT systems and IACS have different security priorities, requirements, and challenges. According to the ISA/IEC 62443 standards, the security priority for IT systems is confidentiality, which means protecting the data from unauthorized access or disclosure. The security priority for IACS is integrity, which means ensuring the accuracy and consistency of the data and the functionality of the system. A loss of integrity in an IACS can have severe consequences, such as physical damage, environmental harm, or human injury. Therefore, IACS cybersecurity must address safety issues, which are not typically considered in IT security. Safety is the ability of the system to prevent or mitigate hazardous events that can cause harm to people, property, or the environment. The ISA/IEC 62443 standards provide guidance and best practices for ensuring the safety and security of IACS, as well as the availability and reliability of the system. Availability is the ability of the system to perform its intended function when required, and reliability is the ability of the system to perform its intended function without failure. These properties are also important for IT systems, but they may have different trade-offs and implications for IACS. For example, an IACS may have stricter performance and availability requirements than an IT system, as a delay or disruption in the IACS operation can affect the industrial process and its outcomes. Additionally, an IACS may have longer equipment lifetimes and less frequent maintenance windows than an IT system, which can make patching and updating more difficult and risky. Furthermore, an IACS may use different technologies and architectures than an IT system, such as legacy devices, proprietary protocols, or specialized hardware. These factors can create compatibility and interoperability issues, as well as increase the attack surface and complexity of the IACS. Therefore, IT security solutions and practices may not be sufficient or suitable for IACS, and they may need to be adapted or supplemented by IACS-specific security measures. The ISA/IEC 62443 standards address these differences and provide a comprehensive framework for securing IACS throughout their lifecycle.
References: 1: Security of Industrial Automation and Control Systems - ISAGCA 2: ISA/IEC 62443 Series of Standards - ISA 3: ISA/IEC 62443 Series of Standards | ISAGCA 4: Securing IACS based on ISA/IEC 62443 – Part 1: The Big Picture
The key differences between IT (Information Technology) systems and IACS (Industrial Automation and Control Systems) are centered on their primary security objectives and operational requirements:
Option A: The IACS security priority is integrity. This is crucial because any unauthorized modification of data or commands can lead to severe operational disruptions and safety hazards.
Option C: IACS cybersecurity must address safety issues. Safety is a primary concern in IACS environments where process disruptions or malfunctions can result in harm to human operators or damage to equipment. The primary security priority in traditional IT systems is often confidentiality, not availability as stated in Option B, and routers are commonly used in IACS networks, contrary to Option D.
