New labels replace the familiar "information security" label
The main changes in the Information Security Assessment (ISA) catalog 6.0 concern the "Information Security" module and the associated label system from TISAX®. In future, the familiar "Information Security" label will be completely replaced by the two labels "Availability" and "Confidentiality".
"Availability" label in ISA catalog 6.0: extension to production facilities
In the new ISA catalog, the labels "Availability high" and "Availability very high" have been made more specific. As a result, OT (Operational Technology) systems will become more of a focus for future audits.
The increasing networking of production environments, i.e. Industrial Automation Control Systems (IACS) and their networks, results in a number of new challenges for information security. Production facilities span extremely extensive networks with a multitude of specialized technologies and protocols.
In many aspects, they differ fundamentally from IT systems: Production environments are generally designed to run for many years and once they are running smoothly, they are left as undisturbed as possible except for regular maintenance and repair work. This means that outdated operating systems, communication protocols or encryption algorithms, for example, are still being used on many components.
For a long time, automatic patch and update processes were undesirable or at least viewed critically. The fear was far too great that the complex production process could get out of sync and cause considerable economic losses. The large-scale, distributed systems and communication networks, to which many employees can gain access, also offer multiple physical points of attack.
The reliability and availability of automated production systems are not only extremely important from a business perspective, but also because deviations in the process can cause considerable damage and financial losses.
In order to integrate all these OT-specific aspects into the ISA catalog 6.0, ENX and VDA have oriented themselves to the internationally valid IEC 62443 series of standards and in particular to sub-section 2-1.