Pasted

Here are the major OT security frameworks and standards:
International Standards
IEC 62443 (ISA/IEC 62443)
 Comprehensive series of standards for industrial automation and control systems (IACS) security
Developed by the International Society of Automation (ISA) and International Electrotechnical Commission (IEC)
Covers the entire lifecycle: policies, procedures, system requirements, component requirements, and risk assessment
Organized into four categories: General, Policies & Procedures, System, and Component
Widely considered the gold standard for OT/ICS security
Provides security levels (SL 1-4) based on risk and threat sophistication
 ISO/IEC 27001/27019
 ISO 27001: Information security management systems (general)
ISO 27019: Extension specifically for process control systems in the energy utility industry
Provides controls and guidance for securing OT environments
 North American Frameworks
NIST Cybersecurity Framework (CSF)
 Five core functions: Identify, Protect, Detect, Respond, Recover
Not OT-specific but widely adapted for industrial environments
NIST CSF 2.0 includes better guidance for OT/ICS contexts
Voluntary framework that's become industry standard in many sectors
 NIST SP 800-82
 "Guide to Industrial Control Systems (ICS) Security"
Provides specific guidance for securing ICS/SCADA systems
Covers unique performance, reliability, and safety requirements of OT
Regularly updated with current threat landscape
 NERC CIP (Critical Infrastructure Protection)
 Mandatory standards for North American bulk electric system
Enforceable requirements with penalties for non-compliance
Covers physical and cybersecurity of critical assets
Versions 1-13 address different aspects of electric grid security
 Sector-Specific Standards
API 1164
 American Petroleum Institute standard for pipeline SCADA security
Specific to oil and gas pipeline operations
 TSA Security Directives
 Transportation Security Administration requirements for rail, pipeline, and aviation OT security
Evolved significantly after Colonial Pipeline incident
 FDA Cybersecurity Guidance
 Specific to medical devices and healthcare delivery systems
Premarket and postmarket cybersecurity requirements
 CFATS (Chemical Facility Anti-Terrorism Standards)
 DHS requirements for high-risk chemical facilities
Includes cybersecurity components for process control systems
 Industry Guidelines and Best Practices
CISA ICS Resources
 Cybersecurity and Infrastructure Security Agency alerts, advisories, and guidelines
ICS-CERT advisories on vulnerabilities and incidents
Recommended practices and assessments
 Center for Internet Security (CIS) Controls
 CIS Critical Security Controls adapted for OT environments
Prioritized implementation guidelines
 SANS ICS Security
 Five Critical Controls for ICS/SCADA Security
Practical implementation guidance
 NIST IR 8183 (Cybersecurity Framework Manufacturing Profile)
 Tailored CSF implementation for manufacturing sector
Risk-based approach for factory floor security
 International Regional Standards
NIS2 Directive (EU)
 European Union directive on network and information systems security
Applies to critical infrastructure including OT environments
Mandatory for certain sectors and organization sizes
 UK NCSC Guidance
 National Cyber Security Centre OT security guidance
Operational technology security principles
 ANSSI (France)
 French cybersecurity agency guidance for industrial systems
 Risk and Safety Standards
IEC 61508
 Functional safety of electrical/electronic/programmable electronic safety-related systems
Foundation for many sector-specific safety standards
Important context for security implementations that must not compromise safety
 IEC 61511
 Functional safety for process industry sector
Safety instrumented systems standards
 Key Considerations When Choosing Frameworks
 Regulatory requirements: Some industries have mandatory compliance (NERC CIP, TSA, FDA)
Industry alignment: Sector-specific standards often provide most relevant guidance
Maturity level: IEC 62443's security levels help organizations progress incrementally
Integration: Many organizations use NIST CSF as overarching framework with IEC 62443 for technical implementation
Practicality: Balance between comprehensive coverage and achievable implementation
 Most mature OT security programs use a combination approach—typically NIST CSF or IEC 62443 as the foundation, supplemented with sector-specific requirements and best practices from CISA, SANS, and other industry resources.