Baking in long-term security
By Bryan Singer and Thomas Good
End users and vendors will benefit from the publication of ISA’s newest ANSI-approved control system security standard, ISA-99.02.01, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, or Part 2 for short.
Part 2 addresses key issues for users, including cyber security risks, activities users should know about to identify and manage risk, steps to ensure adequate security in an organization, and how to recover from a cyber security incident. It also provides guidance on what should be included in an overall security management system. It provides critical guidance on activities that are part of a comprehensive security program and how to develop a plant-appropriate management system that is also appropriate for a multi-site or enterprise environment. While other regulatory compliance and standards efforts have been effective at providing compliance- based activity checklists, the ISA99 Part 2 standard dives deeper, helping asset owners understand more regarding how to implement a program that could later be audited or verified for compliance against other standards or regulatory documents.
When the committee formed in 2002, it set out on the mission of addressing security from a holistic standpoint, and addressing it as a core business issue and engineering discipline as opposed to a simple technical problem waiting to be solved. As such, we knew we would need multiple standards documents to address various aspects of security from understanding vulnerabilities and selecting technical countermeasures, to adopting engineering, design build, and risk management practices to include security and business continuity as part of operational planning and performance/uptime management.
But beyond helping owners with later compliance, Part 2 addresses the longer-term challenge of how to bake in cyber security rather than spreading a layer of icing on the cake at the end. It lays the foundational framework for determining, implementing, and maintaining cost effective long-term cyber security management strategies, and how to have effective plans in place if (and not when) security incidents occur. This is a critical step because unless manufacturers adopt security as a core business practice and integrate it with existing safety and engineering disciplines, companies have only repeated exposures, additional compliance measures, and a long road of repeated incidents and fire response from management when incidents do occur. There is no question: Companies prepared for cyber security are some of the best run organizations in the world, as they are focused on security as a business objective and as a risk management practice to help ensure positive, efficient, and safe operation of their facilities.
Organizing the document and determining a suitable list of activities that the committee was comfortable with took time, as did understanding our basic objectives. But settling on the concept that this should be a guidance standard that enables owners to create and manage their own programs in the end proved to be the right track. It was important to create a flexible and extensible standard in which users could implement the comprehensive ISA99 Part 2 activities in complement to any other regulatory requirements they may face, and as such to make such compliance efforts easier to understand and to demonstrate compliance to such requirements. Later parts of the standard will focus more heavily on performance management and operating an effective program, as well as determine better technical requirements for industrial components and devices.
For those reading the Part 2 documents for the first time, pay special attention to the Clause 4 section for normative guidance, but also to the Annexes that help bring a greater sense of understanding of how such a standard would be implemented for a given owner, including real-world insights from experienced practitioners and first-hand experience implementing many of the included recommendations. These sections should prove to be very useful not only to the first-time implementers of a security program, but even the old hands at security to gain fresh perspectives on what it means to protect an industrial environment from cyber security threats.
Work on the remaining ISA99 standards documents includes Part 4 for technical security requirements. We are also continuing to form relationships with ISA84 safety standards to help end users and others work together in addressing the challenges of cyber security, and to create safe, reliable, and efficient plant operations that are resilient and responsive to threats.
ABOUT THE AUTHORS
Bryan Singer, CISM, CISSP, CAP, is vice president at Kenexis Security Corporation and co-chairman of ISA99, and Thomas Good is Senior Control Systems Consultant at DuPont Engineering Instruments & Control Systems (I&CS) and co-chair of ISA99 Working Group 2.