1 April 2007

Security standard hopes to go global

By Ellen Fussell Policastro

Globalization is a key word around the industry, especially when it comes to security standards. In fact, a global standard is vital for manufacturers if they want to "build products that meet one set of standards worldwide, not different standards for each country," said Eric Byres, chief executive of Byres Security Inc. in British Columbia, Canada. "As important as it is, ISA standards are only recognized by ANSI, a U.S. body," he said. "To be internationally recognized, they must be part of an international standards body like IEC or ISO."

In keeping with this theory, members of the three-part IEC 62443 working group on control system security TC65 WG 10 have unanimously voted to take their work to ISA-SP99 WG4 for further development. This means a joint effort on control system security would produce an ISA standard and an IEC technical specification, said Tom Phinney, a senior fellow at Honeywell ACS, in Phoenix, Ariz., co-chair of ISA-SP99 WG 4, and convenor of IEC TC65 WG 10.

The ISA-SP99 and IEC relationship represents a solid recognition of this need, said Bryan Singer, ISA-SP99 committee chair and principal consultant of industrial security at FluidIQs, Inc., in Birmingham, Ala.

During the past few months, the recognition of excellent work, coming exclusively from each committee, drove conversations between IEC 65C and ISA-99.  Vendors and asset owners operate globally, "and one thing we knew would not make a lot of sense is for businesses to have to pick and choose between the standards efforts, especially given the close relationship between legislation and standards often seen in Europe," Singer said.   Solidifying the relationship made sense for several reasons. The approach is to start with the ISA-99 Part 4 document and pool resources and efforts to jointly develop content both bodies will use, Singer said. The result will be a consistent document produced by each body. "Ultimately, it will give the asset owner and vendor community that operates globally a unified approach to address security in their products, services, and customer solutions."

Vendors really cannot support multiple incompatible security approaches. "It's hard enough to test for errors, bugs, and security holes on one approach. It's impossible to test two developed and evolved products that simultaneously support multiple incompatible security approaches," Phinney said. The logic behind one global standard is so emergency personnel on different continents can help each other, since emergencies usually occur during third shift, when people are at their weakest. If an oil company in Singapore has an emergency at 2:00 a.m., the logical people to help would be somewhere else in the world at 10:00 a.m. or noon, Phinney said. But that is just one aspect. "The big oil companies need compatible security procedures all over the world in case of emergency so help can come from anyone else in the world who has skill."

ISA differs with IEC

ISA standards normally harmonize with IEC; but in this case, ISA is working on a four-part standard, and IEC is working on a three-part standard. Three of the ISA parts are not in conflict with IEC. The fourth one competes directly because it covers technical measures to strengthen security, such as rules for how you put in a firewall, Phinney said. An issue on the ISA side is the potential for the ISA standard to get rejected by IEC as unnecessary and competitive with its own standard. The problem on the IEC side is the working group is split between two different approaches to cyber security standardization. "Some people want to work on technical measures; some people want to work on things that will have a longer lifetime, such as policy, procedure, process (things that become part of an engineering process)," Phinney said. The problem is technical measures become obsolete as soon as someone thinks of a counter measure. "In 2005, firewalls and demilitarized zones were considered to be the best way to defend an industrial control system from the outside world," Phinney said. "Then we realized there were ways to circumvent them as well. Once inside, the entire landscape is open to attack. So what was considered best practice in 2005 is now just one tool in the arsenal that needs to be augmented by other tools."

Global standard benefits all

"If U.S. companies do not meet international standards, their competition can use this to block their entry into Europe or Asia. So for the vendors, having the ISA standards be accepted into IEC only has benefit," Byres said.

A global standard has significant benefit for end users "particularly if they have international operations," Byres said. "These standards are likely to be the basis for due diligence requirements and audits; in order for management to show they meet various legal compliance needs such as SOX [schema for object-oriented XML], they will need to show that their company practices meet a standard. It is much easier for them if there is one international standard and not a bunch of regional standards."

What are the downsides? Few other than the IEC processes are more complex than ISA processes, and it probably will take longer to produce a standard, Byres said. "Going from an ISA standard to an IEC standard is like going from writing for a small town newspaper to writing for The New York Times," Byres said. "The latter is clearly more prestigious and influential, but it comes with more restrictions and complications."


Ellen Fussell Policastro is the associate editor of InTech.  Her e-mail is efussellpolicastro@isa.org.