Co-Engineering Gap Analysis of ANSI/ISA‑62443‑3‑3

Petr Mlynek, Radek Fujdiak, Pavel Mrnustik, Bohuslav Krena, Ludovic Apvrille


Nowadays, software and system development is a more complex process than ever was and it faces challenges, where security became one of the most crucial. Based upon co-engineering in the AQUAS project, complex standards covering development processes regarding safety, but performance and security are missing. In the paper, the representative standard for Industrial Automation and Control Systems (IACS) is selected for gap analysis, both as examples of issues in co-engineering in security and performance, and possibly for evolution and extension in security standards. For IACS, the ANSI/ISA 62443 defines procedures for implementing security requirements. Based upon co-engineering in the AQUAS project and experience from the real implementation of security by TrustPort practitioners of this domain, the paper introduces the 62443 standard gaps analysis with the goal to identify the missing part. Based on this analysis, the possible recommendations for extending 62443-3-3 are proposed.

Full Text:



EU Publication Office, “Aggregated quality assurance for systems: Aquas h2020 project official website,” rcn/210527 en.html, 2017, (H2020-EU., ID: 737475). Accessed: 2019-06-08.

Jens Braband. What's Security Level got to do with Safety Integrity Level?. 8th European Congress on Embedded Real Time Software and Systems (ERTS 2016), Jan 2016, TOULOUSE, France. ⟨hal-01289437⟩

R. S. H. Piggin, “Development of industrial cyber security standards: IEC 62443 for SCADA and Industrial Control System security,” IET Conference on Control and Automation 2013: Uniting Problems and Solutions, Birmingham, 2013, pp. 1-6. doi: 10.1049/cp.2013.0001

M. Maidl, D. Kröselberg, J. Christ and K. Beckers, “A Comprehensive Framework for Security in Engineering Projects - Based on IEC 62443,” 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), Memphis, TN, 2018, pp. 42-47. doi: 10.1109/ISSREW.2018.00-33

T. Meany, “Functional safety and Industry 4.0,” 2017 28th Irish Signals and Systems Conference (ISSC), Killarney, 2017, pp. 1-7. doi: 10.1109/ISSC.2017.7983633

M. Rekik, C. Gransart and M. Berbineau, “Cyber-Physical Security Risk Assessment for Train Control and Monitoring Systems,” 2018 IEEE Conference on Communications and Network Security (CNS), Beijing, 2018, pp. 1-9. doi: 10.1109/CNS.2018.8433201

D. Zvabva, P. Zavarsky, S. Butakov and J. Luswata, “Evaluation of Industrial Firewall Performance Issues in Automation and Control Networks,” 2018 29th Biennial Symposium on Communications (BSC), Toronto, ON, 2018, pp. 1-5. doi: 10.1109/BSC.2018.8494696

H. Kanamaru, “Bridging functional safety and cyber security of SIS/SCS,” 2017 56th Annual Conference of the Society of Instrument and Control Engineers of Japan (SICE), Kanazawa, 2017, pp. 279-284. doi: 10.23919/SICE.2017.8105699

Chai Jiwen and Liu Shanmei, “Cyber security vulnerability assessment for Smart substations,” 2016 IEEE PES Asia-Pacific Power and Energy Engineering Conference (APPEEC), Xi'an, 2016, pp. 1368-1373. doi: 10.1109/APPEEC.2016.7779741

F. Moyon, K. Beckers, S. Klepper, P. Lachberger and B. Bruegge, “Towards Continuous Security Compliance in Agile Software Development at Scale,” 2018 IEEE/ACM 4th International Workshop on Rapid Continuous Software Engineering (RCoSE), Gothenburg, Sweden, 2018, pp. 31-34.

B. Genge, P. Haller and I. Kiss, “Cyber-Security-Aware Network Design of Industrial Control Systems,” IEEE Systems Journal, vol. 11, no. 3, pp. 1373-1384, Sept. 2017. doi: 10.1109/JSYST.2015.2462715

X. Hao, F. Zhou and X. Chen, “Analysis on security standards for industrial control system and enlightenment on relevant Chinese standards,” 2016 IEEE 11th Conference on Industrial Electronics and Applications (ICIEA), Hefei, 2016, pp. 1967-1971. doi: 10.1109/ICIEA.2016.7603911.

A. Ruiz, J. Puelles, J. Martinez, T. Gruber, M. Matschnig, B. Fischer, “Preliminary Safety and Security Co-engineering Process in the Industrial Automation Sector,” 10th European Congress on Embedded Real Time Systems (ERTS 2020), Toulouse, France, 2020.

L. Zhang-Kennedy, S. Chiasson, and P. van Oorschot, “Revisiting password rules: facilitating human management of passwords,” 2016 APWG symposium on electronic crime research (eCrime), IEEE, June 2016.

P. A. Grassi, R. A. Perlner, E. M. Newton, A. R. Regenscheid, W. E. Burr, J. P. Richer, and M. F. Theofanos, Digital Identity Guidelines: Authentication and Lifecycle Management [including updates as of 12-01-2017] (No. Special Publication (NIST SP)-800-63B), 2017.

R. Fujdiak et al., “Managing the Secure Software Development,” 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), CANARY ISLANDS, Spain, 2019, pp. 1-4. doi: 10.1109/NTMS.2019.8763845

R. Fujdiak et al., “Modeling the Trade-off Between Security and Performance to Support the Product Life Cycle,” 2019 8th Mediterranean Conference on Embedded Computing (MECO), Budva, Montenegro, 2019, pp. 1-6. doi: 10.1109/MECO.2019.8760043

ANSI/ISA‑62443‑3‑3 (99.03.03)-2013. Security for industrial automation and control systems Part 3-3: System security requirements and security levels. Approved 12 August 2013.

Security requirements for procuring smart meters and data concentrators. ENCS. 2019. Online:

Protecting Industrial Control Systems. Recommendations for Europe and Member States [Deliverable – 2011-12-09]. December 14, 2011. ENISA.

Communication network dependencies for ICS/SCADA Systems, DECEMBER 2016. ENISA

Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST Special Publication 800-131A Revision 2. Online:

Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018.

Cryptographic Key Length Recommendation, BlueKrypt - v 31.0 - June 10, 2018. Online:

L. Strigini, and M. Gadala. “Human Factors Standards and the Hard Human Factor Problems: Observations on Medical Usability Standards,” Proceedings of the 13th International Joint Conference on Biomedical Engineering Systems and Technologies. SCITEPRESS, 2020



  • There are currently no refbacks.