ISA fully engaged in cybersecurity
Presidential Executive Order on Critical Infrastructure Cybersecurity draws comprehensive response from ISA and AF
By Bill Lydon, Editor in Chief
U.S. Presidential Executive Order 13636, announced in President Obama’s 2013 State of the Union address and signed on 12 February, is intended to confront the growing threats and risks of destructive and potentially deadly cyber attacks on the nation’s critical infrastructure. The Executive Order calls for development of a national Cybersecurity Framework that includes “standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks,” and “help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce is charged with developing the Framework.
NIST has recognized the efforts of the Automation Federation (AF) to ensure that language is included in the Cybersecurity Framework to address the protection of industrial automation and control systems (IACS). Key NIST staff asked to meet with AF and ISA subject matter experts immediately prior to the first of four NIST Cybersecurity Framework workshops to discuss the central role that ISA99 industry standards for IACS security might play in the Framework.
The first NIST Cybersecurity Framework workshop was held at the offices of the U.S. Department of Commerce in Washington, D.C., on 3 April. Attendees included Leo Staples, 2013 Automation Federation Energy Committee chair; Eric Cosman, co-chair of ISA99 Security Committee; Johan Nye, chairman, Governing Board of the ISA Security Compliance Institute; Steve Mustard, member of the Automation Federation Government Relations Committee; and Mike Marlowe, Automation Federation managing director and government relations director.
Following the workshop, AF agreed to a request from NIST to help identify a location for one of three additional national Cybersecurity Framework workshops, to be held in September on the Raleigh campus of North Carolina State University. The other NIST workshops are planned for May 29–31 at Carnegie Mellon University, and in July at a time and location to be determined.
ISA cybersecurity initiatives
In response to a NIST open request for information on the Cybersecurity Framework, AF submitted comprehensive responses in early April from both the ISA99 standards development committee and the ISA Security Compliance Institute (ISCI). ISA99 and ISCI have been developing IACS multi-industry consensus standards and conformity assessment programs, respectively, to protect vital industrial and critical infrastructure. The application of automation to increase productivity, reduce costs, and share information in real time across multiple industrial and enterprise systems is vital in maintaining and increasing industrial competitiveness. In order to meet industry competitiveness objectives and protect IACS from cyber threats, the NIST Cybersecurity Framework, like the ISA99 standards, is intended to apply across multiple industry sectors. Cyber attacks on industrial operations continue to be a great concern, but at the same time management demands are increasing for real-time communications between automation and business systems. In addition, the decreasing number of experienced automation experts is driving the need for remote plant operations over the Internet, raising vulnerability concerns. These are some of the major reasons that ISA and AF have taken the lead to address IACS cybersecurity with these key initiatives:
The ISA99 standards development committee brings together more than 500 industrial cybersecurity experts from multiple industries and applications to develop the ISA-62443 series of American National Standards on IACS security. These standards are providing a framework for companies to achieve and maintain security improvements through a lifecycle that integrates design, implementation, monitoring, and continuous improvement. This original and ongoing work is being adopted by the Geneva-based International Electrotechnical Commission (IEC) as the IEC 62443 series. An overview of the ISA-62443 series is available here.
ISA Security Compliance Institute (ISCI)
The ISA Security Compliance Institute, a subsidiary of ISA, manages the ISASecure® program, which recognizes and promotes cyber-secure products and practices for industrial automation suppliers and operational sites.
The ISASecure designation is earned by industrial control suppliers for products that demonstrate adherence to ISCI cybersecurity specifications derived from open, consensus industry standards. ISASecure certifications evaluate product/system cybersecurity characteristics and laboratory test products/systems and assess suppliers’ adherence to cybersecurity lifecycle development best practices. ISCI develops industrial automation control systems certifications, which assess conformance to the ISA-62443 standards and reference other relevant international standards, such as IEC 61508 and IEC 61511 for Safety Instrumented Systems, as appropriate to the particular certification program.
Test lab accreditation assures users of the competence and impartiality of the certification body (CB) being accredited. ISASecure is an ISO/IEC Guide 65 conformance scheme. As such, all ISASecure certification bodies (test labs) are independently accredited to ISASecure requirements, ISO/IEC Guide 65 and ISO/IEC 17025 by an ISO/IEC 17011 accreditation body, such as ANSI/ACLASS, the Japan Accreditation Bureau (JAB) and other country-specific ISO/IEC 17011 accreditation bodies. The link to the ANSI/ACLASS website for ISASecure is www.ansi.org/isasecure.
ISASecure EDSA (Embedded Device Security Assurance) is a certification program for embedded devices, which are special purpose devices running embedded software designed to directly monitor, control, or actuate an industrial process. The ISASecure EDSA certification program is currently available, and several suppliers’ devices have been certified to ISASecure Security Level 1 or 2.
ISASecure SSA (System Security Assurance) is a certification program for industrial automation and control systems. The certification tests and assesses for compliance to the ISA-62443 standards. The primary focus of the SSA program is compliance to ISA-62443-3-3. The ISASecure SSA certification program is currently under development and is expected to be released midyear.
ISASecure SDLA (Security Development Lifecycle Assurance) is a certification program to assess the supplier’s product development process to ensure it incorporates a Security Development Lifecycle. The ISASecure SDLA certification program is currently under development and is expected to be released in the second half of this year.
Reflecting the international aspects and concerns about IACS security, in May the Japan Information Technology Promotion Agency (IPA) will be dedicating an industrial automation and control test lab that will be accredited to the ISASecure conformance scheme. The IPA has adopted ISASecure as part of the Japanese critical infrastructure protection scheme.
The ISA99 committee continues to develop additional standards and technical reports in the ISA-62443 (IEC 62443) series, several of which will soon be circulated for review and comment. More information is available on the ISA99 wiki.
ISA offers a number of training courses on industrial cybersecurity and is currently developing a certificate program in cybersecurity.
AF will offer a free webinar (5 August 2013) on this ongoing work to support the development of the NIST Cybersecurity Framework to achieve the goals of the Presidential Executive Order. For more information about the Automation Federation, contact Michael Marlowe (firstname.lastname@example.org), managing director, Automation Federation.