- February 16, 2017
- Research Triangle Park, North Carolina
Patrick J. Gouhin, Executive Director and CEO of the International Society of Automation (ISA), speaking today at a Bloomberg LIVE conference in Houston, Texas on the future of cybersecurity in the US oil and gas sector, urged energy executives to take action now to protect their facilities and operations from cyberattack.
"Given the increasing number of cyberattacks on oil and gas facilities, the importance of these facilities to the economy and national security, and the fact that there are effective cybersecurity standards for the energy industry available today, the time to act is now-not years in the future," emphasized Gouhin, before an audience of approximately 100 senior technology executives and government officials.
Gouhin participated in a panel session that examined: the need for solutions that can both prevent a cyberattack from occurring and mitigate the damage if one does occur; and the future of cybersecurity strategies and defenses in the oil and gas industry given the absence of mandated standards and regulations.
Gouhin pointed to ISA's series of industrial automation and control system (IACS) security standards- adopted internationally as ISA/IEC 62443-as a flexible framework for preventing and limiting potentially devastating cyber damage to the industrial systems and networks used in oil and gas facilities and other critical infrastructure.
Developed by leading international cybersecurity experts from industry, government and academia, ISA/IEC 62443 addresses industrial cybersecurity vulnerabilities across all key industry sectors and is regarded as the world's only consensus-based series of IACS security standards.
IACS, such as supervisory control and data acquisition systems (SCADA), are relied upon to monitor and control the operation of industrial machinery and associated devices. Because most IACS are not designed to ensure resilience against cyberwarfare, an IACS cyberattack can impair and disable safe operations of industrial facilities. The consequences-which can include plant shutdowns, widespread power blackouts, explosions, chemical leaks, and more-can place national and economic security as well as lives, personal safety and the environment at risk.
ISA/IEC 62443 enables owners and operators of critical infrastructure to achieve and maintain IACS security improvements through a lifecycle that integrates design, implementation, monitoring, and continuous improvement.
ISA's expertise in industrial cybersecurity standards has been honed through experience. Gouhin pointed out that ISA has been developing industry standards for more than 67 years, with 150 different standards in its portfolio, representing the knowledge of more than 4,000 industry experts worldwide.
He explained that while the US does not legally require implementation of industrial cybersecurity standards and best practices, the government has developed a voluntary plan to follow. The plan, known as the US Cybersecurity Framework, serves as a how-to guide for American industry and operators and owners of critical infrastructure to strengthen their cyber defenses.
Representatives of both ISA and its affiliate, the Automation Federation, served as expert consultants to the National Institute of Standards and Technology (NIST)-an agency of the US Department of Commerce-as it coordinated the development of the framework. The ISA/IEC 62443 series of IACS security standards are key components of the framework recommendations, which were made public in early 2014.
ISA's leadership in industrial cybersecurity also prompted the US Army National Guard to select ISA as an industry partner. Last year, ISA provided control systems security training at the National Guard's Cyber Shield 2016 exercise at Camp Atterbury, Indiana. More than 900 soldiers, airmen, Marines, sailors, and civilians representing 47 states and territories participated at the event to assess their skills in responding to cyber-incidents on the National Guard computer network.
Furthermore, the Automation Federation is the host organization for the LOGIIC (Linking Oil and Gas Industry to Improve Cybersecurity) Program, an ongoing collaboration of major oil and natural gas companies and the US Department of Homeland Security, Science and Technology Directorate. LOGIIC undertakes collaborative research and development projects to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector.
ISA has leveraged ISA/IEC 62443 to develop industrial cybersecurity training courses, certificate programs and conformance certification
ISA has harnessed the ISA/IEC 62443 standards to develop a comprehensive set of industrial cybersecurity training courses and aligned certificate programs-covering the complete lifecycle of IACS assessment, design, implementation, operations and maintenance.
ISA's suite of industrial cybersecurity courses include:
- Introduction to Industrial Automation Security and the ISA/IEC 62443 Standards (IC32C)
- Using the ISA/IEC 62443 Standards to Secure Your Control Systems (IC32)
- Using the ISA/IEC 62443 Standard to Secure Your Control Systems (IC32E - Online Version)
- Assessing the Cybersecurity of New or Existing IACS Systems (IC33)
- IACS Cybersecurity Design & Implementation (IC34)
- IACS Cybersecurity Operations & Maintenance (IC37)
ISA cybersecurity certificate programs are awarded to those who successfully complete the requirements of ISA's related cybersecurity courses. Individuals who complete all four ISA certificate programs earn the designation of ISA/IEC 62443 Cybersecurity Expert. For more details on the four certificate programs and their aligned courses, visit www.isa.org/CYBERcertificate.
In addition, ISA has developed a certification program-ISASecure®-that ensures that control systems conform to relevant ISA/IEC 62443 cybersecurity standards and apply to the security lifecycle concept that forms the basis of the standards.
Asset owners and integrators that include the ISASecure® designation as a procurement requirement for control systems projects have confidence that the selected products are robust against network attacks and free from known vulnerabilities.
About Patrick J. Gouhin
Patrick J. Gouhin serves as the Executive Director and CEO of the International Society of Automation (ISA.) ISA is a nonprofit professional association that sets the standard for those who apply engineering and technology to improve the management, safety, and cybersecurity of modern automation and control systems used across industry and critical infrastructure. ISA serves both process manufacturing industries, such as chemicals, food and beverage, oil and gas, and pharmaceuticals; and discrete manufacturing industries, such as automotive and aerospace.
During his tenure at ISA, Gouhin has directed: vital initiatives to advance the Society and better serve automation professionals, including globalization efforts and workforce development programs; the development of the Automation Federation and the Automation Standards Compliance Institute; and the acquisition of Automation.com.
Before joining ISA, he spent 15 years at the American Institute of Aeronautics and Astronautics (AIAA), culminating his service there as Chief Operating Officer. During a few years of this period, Gouhin lent his expertise to the National Institute of Aerospace (NIA) at Langley Research Center, serving as its Vice President of Operations and Technology Transfer.
Gouhin earned a bachelor of science degree in aeronautical engineering from The Ohio State University and a master's degree in engineering management from George Washington University. He completed the executive development program at the University of Pennsylvania's Wharton School and the advanced management college of Stanford University.