The ISA-99 Industrial Automation and Control Systems Security standards

First published in 2007. As told by Eric Cosman, 2020 ISA President.

The ISA-99 standards helped to put industrial cybersecurity on the map, leading to today’s high level of awareness.

It is easy to forget that the ISA99 committee existed and our work on the 62443 standards was happening before most of the current popular or higher-profile products and technologies were even available. Pioneers in the development of solutions in this area were also involved in the early activities of our committee. A notable example is Eric Byres, who went on to develop the Tofino industrial firewall.

Members of the ISA99 committee also provided expertise to the Automation Federation in its efforts to raise awareness with politicians and public policy members. This included the development of briefing papers and visits to Washington D.C. Our committee has been working closely with the U.S. National Institute of Standards and Technology (NIST) and other groups in the public sector for almost 20 years. This included having a major role in shaping the NIST cybersecurity framework.

All of this attention and focus by industry has led to the creation of new types of jobs in industrial automation cybersecurity. There are now several very successful companies providing consulting and advisory services to asset owners in this area, some of whom employ members of our committee. The impact of ISA-99 has been to help increase understanding of the importance of automation in ensuring safe, reliable, available, and high-performing manufacturing and operations processes.

I was one of a small group of people who came together in a conference call on 18 September 2002 to discuss how ISA could best approach the growing need for and interest in standards and practices for industrial systems cybersecurity.

The Society had considered two basic approaches. The first was to direct all existing and future subject-specific standard groups (e.g., ISA-95) to examine if and how they should revise their standards to consider cybersecurity threats and vulnerabilities. The alternative was to create a new committee to develop one or more standards devoted to cybersecurity and promote the result as a “horizontal” standard that could be applied in a range of contexts.

The consensus was that the second option was preferred. This resulted in the chartering of the ISA99 committee with Bob Webb as managing director and Bryan Singer as committee chair. Bryan Singer and Keith Unger developed the initial committee description. A face-to-face meeting in Chicago on 22 October attracted almost 60 people. This was the first meeting of the committee. Those present approved the formation of three subcommittees to address scope and purpose; models and terminology; and research and liaison.

I have been a member of ISA99 since its formation. I joined to represent the chemical sector cybersecurity program of the American Chemistry Council (ACC), which had decided to avoid creating sector-specific standards and practices. I served as the cochair (with Evan Hand) of the work group that developed what became ISA-99.00.01-2007, which was the first standard in what became the 62443 series. I later took on the role of committee cochair, first with Bryan Singer and later with Jim Gilsinn. Many others who attended our first meeting are still contributing today—continuity that has contributed to the success of the committee.

This article is part of September/October 2020 InTech—the ISA 75th Anniversary Special Edition