NIST CSF to ISA/IEC 62443 Mappings
The NIST's Cybersecurity Framework v1.1 (CSF) was developed to help organizations begin, or develop, their cybersecurity programme. The table below details NIST Mappings to ISA/IEC 62443 with additional data from Ofgem. The ISA/IEC 62443 set of standards outline best practices for organisations to secure industrial automation and control systems (IACS) against cyber threats. IEC 62443-2-1 covers how to establish an effective cyber security management system (CSMS). IEC 62443-3-3 outlines specific security requirements and security levels.To see more detailed information and additional mappings, click through to individual outcomes.
| CSF ID | CSF Description | 62443-2-1 | 62443-3-3 |
|---|---|---|---|
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed | 4.4.3.3: Establish triggers to evaluate CSMS | |
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
4.3.4.5.6: Identify and respond to incidents 4.3.4.5.7: Identify failed and successful cyber security breaches 4.3.4.5.8: Document the details of incidents |
SR 2.10: Response to audit processing failures SR 2.11: Timestamps SR 2.12: Non-repudiation SR 2.8: Auditable events SR 2.9: Audit storage capacity SR 3.9: Protection of audit information SR 6.1: Audit log accessibility SR 6.2: Continuous monitoring |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors | SR 6.1: Audit log accessibility | |
| DE.AE-4 | Impact of events is determined | ||
| DE.AE-5 | Incident alert thresholds are established | 4.2.3.10: Identify the reassessment frequency and triggering criteria | |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events | SR 6.2: Continuous monitoring | |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events | 4.3.3.3.8: Establish procedures for monitoring and alarming | |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events | SR 6.2: Continuous monitoring | |
| DE.CM-4 | Malicious code is detected | 4.3.4.3.8: Establish and document antivirus/malware management procedure | SR 3.2: Malicious code protection |
| DE.CM-5 | Unauthorized mobile code is detected | SR 2.4: Mobile code | |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events | ||
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed | ||
| DE.CM-8 | Vulnerability scans are performed |
4.2.3.1: Select a risk assessment methodology 4.2.3.7: Perform a detailed vulnerability assessment |
|
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability | 4.4.3.1: Assign an organization to manage and implement changes to the CSMS | |
| DE.DP-2 | Detection activities comply with all applicable requirements | 4.4.3.2: Evaluate the CSMS periodically | |
| DE.DP-3 | Detection processes are tested | 4.4.3.2: Evaluate the CSMS periodically | SR 3.3: Security functionality verification |
| DE.DP-4 | Event detection information is communicated | 4.3.4.5.9: Communicate the incident details | SR 6.1: Audit log accessibility |
| DE.DP-5 | Detection processes are continuously improved | 4.4.3.4: Identify and implement corrective and preventive actions | |
| ID.AM-1 | Physical devices and systems within the organization are inventoried | 4.2.3.4: Identify the industrial automation and control systems | SR 7.8: Control system component inventory |
| ID.AM-2 | Software platforms and applications within the organization are inventoried | 4.2.3.4: Identify the industrial automation and control systems | SR 7.8: Control system component inventory |
| ID.AM-3 | Organizational communication and data flows are mapped | 4.2.3.4: Identify the industrial automation and control systems | |
| ID.AM-4 | External information systems are catalogued | ||
| ID.AM-5 | Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value | 4.2.3.6: Prioritise Systems | |
| ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | 4.3.2.3.3: Define the organisational responsibilities | |
| ID.BE-1 | The organization’s role in the supply chain is identified and communicated | ||
| ID.BE-2 | The organization’s place in critical infrastructure and its industry sector is identified and communicated | ||
| ID.BE-3 | Priorities for organizational mission, objectives, and activities are established and communicated | 4.2.3.6: Prioritise Systems | |
| ID.BE-4 | Dependencies and critical functions for delivery of critical services are established | ||
| ID.BE-5 | Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) | ||
| ID.GV-1 | Organizational cybersecurity policy is established and communicated | ||
| ID.GV-2 | Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners | 4.3.2.3.3: Define the organisational responsibilities | |
| ID.GV-3 | Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed | 4.4.3.7: Monitor and evaluate applicable legislation relevant to cyber security | |
| ID.GV-4 | Governance and risk management processes address cybersecurity risks |
4.2.3.11: Integrate physical, HSE and cyber security risk assessments 4.2.3.1: Select a risk assessment methodology 4.2.3.3: Conduct a high-level risk assessment 4.2.3.8: Identify a detailed risk assessment methodology 4.2.3.9: Conduct a detailed risk assessment 4.3.2.4.3: Provide training for support personnel 4.3.2.6.3: Maintain consistency between risk management systems |
|
| ID.RA-1 | Asset vulnerabilities are identified and documented |
4.2.3.12: Conduct risk assessments throughout the lifecycle of the IACs 4.2.3.7: Perform a detailed vulnerability assessment 4.2.3.9: Conduct a detailed risk assessment |
|
| ID.RA-2 | Cyber threat intelligence is received from information sharing forums and sources |
4.2.3.12: Conduct risk assessments throughout the lifecycle of the IACs 4.2.3.9: Conduct a detailed risk assessment |
|
| ID.RA-3 | Threats, both internal and external, are identified and documented |
4.2.3.12: Conduct risk assessments throughout the lifecycle of the IACs 4.2.3.9: Conduct a detailed risk assessment |
|
| ID.RA-4 | Potential business impacts and likelihoods are identified |
4.2.3.12: Conduct risk assessments throughout the lifecycle of the IACs 4.2.3.9: Conduct a detailed risk assessment |
|
| ID.RA-5 | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | ||
| ID.RA-6 | Risk responses are identified and prioritized | ||
| ID.RM-1 | Risk management processes are established, managed, and agreed to by organizational stakeholders | ||
| ID.RM-2 | Organizational risk tolerance is determined and clearly expressed | 4.3.2.6.5: Determine the organisations tolerance for risk | |
| ID.RM-3 | The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis | ||
| ID.SC-1 | Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders | ||
| ID.SC-2 | Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process |
4.2.3.10: Identify the reassessment frequency and triggering criteria 4.2.3.12: Conduct risk assessments throughout the lifecycle of the IACs 4.2.3.13: Document the Risk Assessment 4.2.3.14: Maintain vulnerability assessment records 4.2.3.1: Select a risk assessment methodology 4.2.3.2: Provide risk assessment background information 4.2.3.3: Conduct a high-level risk assessment 4.2.3.4: Identify the industrial automation and control systems 4.2.3.6: Prioritise Systems 4.2.3.8: Identify a detailed risk assessment methodology 4.2.3.9: Conduct a detailed risk assessment |
|
| ID.SC-3 | Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. |
4.3.2.6.4: Define cyber security policies and procedure compliance requirements 4.3.2.6.7: Review and update the cyber security policies and procedures |
|
| ID.SC-4 | Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. | 4.3.2.6.7: Review and update the cyber security policies and procedures | SR 6.1: Audit log accessibility |
| ID.SC-5 | Response and recovery planning and testing are conducted with suppliers and third-party providers |
4.3.2.5.7: Test and update the business continuity plan 4.3.4.5.11: Conduct drills |
SR 2.8: Auditable events SR 3.3: Security functionality verification SR 7.3: Control system backup SR 7.4: Control system recovery and reconstitution |
| PR.AC-1 | Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes | 4.3.3.5.1: Access accounts implement authorization security policy |
SR 1.1: Human User Identification and Authentication SR 1.2: Software process and device identification and authentication SR 1.3: Account management SR 1.4: Identifier management SR 1.5: Authenticator management SR 1.7: Strength of password-based authentication SR 1.8: Public key infrastructure (PKI) certificates SR 1.9: Strength of public key authentication |
| PR.AC-2 | Physical access to assets is managed and protected |
4.3.3.3.2: Establish physical security perimeters 4.3.3.3.8: Establish procedures for monitoring and alarming |
|
| PR.AC-3 | Remote access is managed | 4.3.3.6.6: Develop a policy for remote login and connections |
SR 1.13: Access via untrusted networks SR 2.6: Remote session termination |
| PR.AC-4 | Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | 4.3.3.7.3: Control access to information or systems via role-based access accounts | SR 2.1: Authorization enforcement |
| PR.AC-5 | Network integrity is protected (e.g., network segregation, network segmentation) |
SR 3.1: Communication integrity SR 3.8: Session integrity |
|
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
4.3.3.2.2: Screen personnel initially 4.3.3.5.2: Identify individuals 4.3.3.7.2: Establish appropriate logical and physical permission methods to access IACS devices 4.3.3.7.4: Employ multiple authorization methods for critical IACS |
SR 1.1: Human User Identification and Authentication SR 1.2: Software process and device identification and authentication SR 1.4: Identifier management SR 1.5: Authenticator management SR 1.9: Strength of public key authentication SR 2.1: Authorization enforcement |
| PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
4.3.3.6.1: Develop an authentication strategy 4.3.3.6.2: Authenticate all users before system use 4.3.3.6.3: Require strong authentication methods for system administration and application configuration 4.3.3.6.4: Log and review all access attempts to critical systems 4.3.3.6.5: Authenticate all remote users at the appropriate level 4.3.3.6.6: Develop a policy for remote login and connections 4.3.3.6.7: Disable access account after failed remote login attempts 4.3.3.6.8: Require re-authentication after remote system inactivity 4.3.3.6.9: Employ authentication for task-to task communication |
SR 1.10: Authenticator feedback SR 1.1: Human User Identification and Authentication SR 1.2: Software process and device identification and authentication SR 1.5: Authenticator management SR 1.7: Strength of password-based authentication SR 1.8: Public key infrastructure (PKI) certificates SR 1.9: Strength of public key authentication |
| PR.AT-1 | All users are informed and trained | 4.3.2.4.2: Provide procedure and facility training | |
| PR.AT-2 | Privileged users understand their roles and responsibilities |
4.3.2.4.2: Provide procedure and facility training 4.3.2.4.3: Provide training for support personnel |
|
| PR.AT-3 | Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities | 4.3.2.4.2: Provide procedure and facility training | |
| PR.AT-4 | Senior executives understand their roles and responsibilities | 4.3.2.4.2: Provide procedure and facility training | |
| PR.AT-5 | Physical and cybersecurity personnel understand their roles and responsibilities | 4.3.2.4.2: Provide procedure and facility training | |
| PR.DS-1 | Data-at-rest is protected |
SR 3.4: Software and information integrity SR 4.1: Information confidentiality |
|
| PR.DS-2 | Data-in-transit is protected |
SR 3.1: Communication integrity SR 3.8: Session integrity SR 4.1: Information confidentiality SR 4.2: Information persistence |
|
| PR.DS-3 | Assets are formally managed throughout removal, transfers, and disposition |
4.3.3.3.9: Establish procedures for the addition, removal, and disposal of assets 4.3.4.4.1: Develop lifecycle management processes for IACS information |
SR 4.2: Information persistence |
| PR.DS-4 | Adequate capacity to ensure availability is maintained |
SR 7.1: Denial of service protection SR 7.2: Resource management |
|
| PR.DS-5 | Protections against data leaks are implemented | SR 5.2: Zone boundary protection | |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
SR 3.1: Communication integrity SR 3.3: Security functionality verification SR 3.4: Software and information integrity SR 3.8: Session integrity |
|
| PR.DS-7 | The development and testing environment(s) are separate from the production environment | ||
| PR.DS-8 | Integrity checking mechanisms are used to verify hardware integrity | 4.3.4.4.4: Ensure appropriate records control | |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
4.3.4.3.2: Develop and implement a change management system 4.3.4.3.3: Assess all the risks of changing the IACS |
SR 7.6: Network and security configuration settings |
| PR.IP-10 | Response and recovery plans are tested |
4.3.2.5.7: Test and update the business continuity plan 4.3.4.5.11: Conduct drills |
SR 3.3: Security functionality verification |
| PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
4.3.3.2.1: Personnel security 4.3.3.2.2: Screen personnel initially 4.3.3.2.3: Screen personnel on an ongoing basis |
|
| PR.IP-12 | A vulnerability management plan is developed and implemented | ||
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented | 4.3.4.3.3: Assess all the risks of changing the IACS | |
| PR.IP-3 | Configuration change control processes are in place |
4.3.4.3.2: Develop and implement a change management system 4.3.4.3.3: Assess all the risks of changing the IACS |
SR 7.6: Network and security configuration settings |
| PR.IP-4 | Backups of information are conducted, maintained, and tested | 4.3.4.3.9: Establish backup and restoration procedure |
SR 7.3: Control system backup SR 7.4: Control system recovery and reconstitution |
| PR.IP-5 | Policy and regulations regarding the physical operating environment for organizational assets are met |
4.3.3.3.1: Establish complimentary physical and cyber security policies 4.3.3.3.2: Establish physical security perimeters 4.3.3.3.3: Provide entry controls 4.3.3.3.5: Require employees to follow security procedures 4.3.3.3.6: Protect connections |
|
| PR.IP-6 | Data is destroyed according to policy | 4.3.4.4.4: Ensure appropriate records control | SR 4.2: Information persistence |
| PR.IP-7 | Protection processes are improved |
4.4.3.1: Assign an organization to manage and implement changes to the CSMS 4.4.3.2: Evaluate the CSMS periodically 4.4.3.3: Establish triggers to evaluate CSMS 4.4.3.4: Identify and implement corrective and preventive actions 4.4.3.5: Review risk tolerance 4.4.3.6: Monitor and evaluate industry CSMS strategies 4.4.3.7: Monitor and evaluate applicable legislation relevant to cyber security 4.4.3.8: Request and report employee feedback on security suggestions |
|
| PR.IP-8 | Effectiveness of protection technologies is shared | ||
| PR.IP-9 | Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
4.3.2.5.3: Develop and implement business continuity plans 4.3.4.5.1: Implement an incident response plan |
|
| PR.MA-1 | Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools | 4.3.3.3.7: Maintain equipment assets | |
| PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
4.3.3.6.5: Authenticate all remote users at the appropriate level 4.3.3.6.6: Develop a policy for remote login and connections 4.3.3.6.7: Disable access account after failed remote login attempts 4.3.3.6.8: Require re-authentication after remote system inactivity |
|
| PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
4.3.3.3.9: Establish procedures for the addition, removal, and disposal of assets 4.3.3.5.8: Audit account administration 4.3.4.4.7: Audit the information and document management process 4.4.2.1: Specify the methodology of the audit process 4.4.2.2: Conduct periodic IACS audits 4.4.2.4: Establish a document audit trail |
SR 2.10: Response to audit processing failures SR 2.11: Timestamps SR 2.12: Non-repudiation SR 2.8: Auditable events SR 2.9: Audit storage capacity |
| PR.PT-2 | Removable media is protected and its use restricted according to policy | SR 2.3: Use control for portable and mobile devices | |
| PR.PT-3 | The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
4.3.3.5.1: Access accounts implement authorization security policy 4.3.3.5.2: Identify individuals 4.3.3.5.3: Authorize account access 4.3.3.5.4: Record access accounts 4.3.3.5.5: Suspend or remove unneeded accounts 4.3.3.5.6: Review account permissions 4.3.3.5.7: Change default passwords 4.3.3.5.8: Audit account administration 4.3.3.6.1: Develop an authentication strategy 4.3.3.6.2: Authenticate all users before system use 4.3.3.6.3: Require strong authentication methods for system administration and application configuration 4.3.3.6.4: Log and review all access attempts to critical systems 4.3.3.6.5: Authenticate all remote users at the appropriate level 4.3.3.6.6: Develop a policy for remote login and connections 4.3.3.6.7: Disable access account after failed remote login attempts 4.3.3.6.8: Require re-authentication after remote system inactivity 4.3.3.6.9: Employ authentication for task-to task communication 4.3.3.7.1: Define an authorization security policy 4.3.3.7.2: Establish appropriate logical and physical permission methods to access IACS devices 4.3.3.7.3: Control access to information or systems via role-based access accounts 4.3.3.7.4: Employ multiple authorization methods for critical IACS |
SR 1.10: Authenticator feedback SR 1.11: Unsuccessful login attempts SR 1.12: System use notification SR 1.13: Access via untrusted networks SR 1.1: Human User Identification and Authentication SR 1.2: Software process and device identification and authentication SR 1.3: Account management SR 1.4: Identifier management SR 1.5: Authenticator management SR 1.6: Wireless access management SR 1.7: Strength of password-based authentication SR 1.8: Public key infrastructure (PKI) certificates SR 1.9: Strength of public key authentication SR 2.1: Authorization enforcement SR 2.2: Wireless use control SR 2.3: Use control for portable and mobile devices SR 2.4: Mobile code SR 2.5: Session lock SR 2.6: Remote session termination SR 2.7: Concurrent session control |
| PR.PT-4 | Communications and control networks are protected |
SR 3.1: Communication integrity SR 3.5: Input validation SR 3.8: Session integrity SR 4.1: Information confidentiality SR 4.3: Use of cryptography SR 5.1: Network segmentation SR 5.2: Zone boundary protection SR 5.3: General purpose person-to-person communication restrictions SR 7.1: Denial of service protection SR 7.6: Network and security configuration settings |
|
| PR.PT-5 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations | 4.3.2.5.2: Determine the impacts and consequences to each system |
SR 7.1: Denial of service protection SR 7.2: Resource management |
| RC.CO-1 | Public relations are managed | ||
| RC.CO-2 | Reputation is repaired after an incident | ||
| RC.CO-3 | Recovery activities are communicated to internal and external stakeholders as well as executive and management teams | ||
| RC.IM-1 | Recovery plans incorporate lessons learned | 4.4.3.4: Identify and implement corrective and preventive actions | |
| RC.IM-2 | Recovery strategies are updated | ||
| RC.RP-1 | Recovery plan is executed during or after a cybersecurity incident | ||
| RS.AN-1 | Notifications from detection systems are investigated |
4.3.4.5.6: Identify and respond to incidents 4.3.4.5.7: Identify failed and successful cyber security breaches 4.3.4.5.8: Document the details of incidents |
SR 6.1: Audit log accessibility |
| RS.AN-2 | The impact of the incident is understood |
4.3.4.5.6: Identify and respond to incidents 4.3.4.5.7: Identify failed and successful cyber security breaches 4.3.4.5.8: Document the details of incidents |
|
| RS.AN-3 | Forensics are performed |
SR 2.10: Response to audit processing failures SR 2.11: Timestamps SR 2.12: Non-repudiation SR 2.8: Auditable events SR 2.9: Audit storage capacity SR 3.9: Protection of audit information SR 6.1: Audit log accessibility |
|
| RS.AN-4 | Incidents are categorized consistent with response plans | 4.3.4.5.6: Identify and respond to incidents | |
| RS.AN-5 | Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) | ||
| RS.CO-1 | Personnel know their roles and order of operations when a response is needed |
4.3.4.5.2: Communicate the incident response plan 4.3.4.5.3: Establish a reporting procedure for unusual activities and events 4.3.4.5.4: Educate employees on reporting cyber security incidents |
|
| RS.CO-2 | Incidents are reported consistent with established criteria | 4.3.4.5.5: Report cyber security incidents in a timely manner | |
| RS.CO-3 | Information is shared consistent with response plans | 4.3.4.5.2: Communicate the incident response plan | |
| RS.CO-4 | Coordination with stakeholders occurs consistent with response plans | 4.3.4.5.5: Report cyber security incidents in a timely manner | |
| RS.CO-5 | Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness | ||
| RS.IM-1 | Response plans incorporate lessons learned |
4.3.4.5.10: Address and correct issues discovered 4.4.3.4: Identify and implement corrective and preventive actions |
|
| RS.IM-2 | Response strategies are updated | ||
| RS.MI-1 | Incidents are contained | 4.3.4.5.6: Identify and respond to incidents |
SR 5.1: Network segmentation SR 5.2: Zone boundary protection SR 5.4: Application partitioning |
| RS.MI-2 | Incidents are mitigated |
4.3.4.5.10: Address and correct issues discovered 4.3.4.5.6: Identify and respond to incidents |
|
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks | ||
| RS.RP-1 | Response plan is executed during or after an incident | 4.3.4.5.1: Implement an incident response plan |