June 2008

Security for all

By Ellen Fussell Policastro

Security is not just an issue for the ISA security standards committee; it affects everyone.

That is why the ISA99 standards committee on control system security has a mission to relate their security expertise with all ISA standards. The committee's immediate goal is to establish a broader relationship between ISA99 and ISA100 on wireless, said Bryan Singer, chairman of ISA99 and vice president of security services at Wurldtech Security Technologies in Vancouver, British Columbia, Canada. The resulting Working Group 4 (WG4) will establish responsibility for security within both committees, ensuring there is no conflict between the two. In fact, the two committees are meeting this month in West Palm Beach to begin the collaboration work.

Formed in 2007, WG4 is responsible for creating ISA99.00.04 (Part 4). The working group deals specifically with unique technical requirements, measurements, and other features required to evaluate and assure security resilience and performance of industrial automation and control systems devices. These requirements are critical to deploying more secure devices and protecting legacy systems. WG4 is collaborating with ISA100 on wireless and ISA84 on safety, as well as ISA67 on nuclear power, ISA88 on batch processes, and ISA95 on enterprise integration.

"There are several joint members who regularly report to the ISA88 and ISA95 committees on important information. A lot of the collaboration involves making sure we are using consistent definitions of level and activities," said Dennis Brandl, president of BRL Consulting in Cary, N.C., and chair of the ISA88 committee on batch control. "Much of the ISA99 work has impacts in all levels, down to equipment and up above MES systems," he said. "We felt it was important that the ISA88 and ISA95 members were aware of the security work, so we don't duplicate any efforts."

The ISA100 wireless standards committee has established a joint committee called the trustworthy wireless interest group (TWIG). "The idea is that the end users within ISA100 wanted to take a closer look at relationships among security, reliability, and confidence," said ISA100 chairman Wayne Manges of Oak Ridge National Labs, in Oak Ridge, Tenn.

"Anyone can join ISA100 and sign up for TWIG," Manges said. Several participants attended an Exxon-Mobil-hosted TWIG in Virginia in April. "Our expectation is that TWIG will carry the flag for end users' concerns over the relative importance of reliability and availability with respect to other security issues (confidentiality and integrity)," Manges said. A TWIG working document called "Trustworthiness in Wireless Industrial Automation," will include guidelines for end users, suppliers, regulators, and other stakeholders for installing and using wireless systems for industrial automation while maintaining a quantifiable level of trust.

"Those companies that have had security issues or problems are participating because they need vendors to help them implement secure systems. Mostly end users provide real examples that can be used as checkpoints for the standards' recommendations," Brandl said.

"These relationships and industry participation are critical to ensure the committee can accurately specify technical requirements and see these brought to light in new products and protecting legacy equipment," Singer said.

Another area of collaboration would be in dealing with safety standards, "where you're looking at hazardous events that are primarily unintentional," Singer said. "The ISA84 standards deal more heavily with random faults. The ISA99 WG4 would look at concepts similar to those in the safety standard, but our objective is to come up with technical security requirements and measurements. We need to understand what additional things we need to do to deal with the intentional threats and other threats to systematic failure. We'd be looking at intentional faults, including those that could bypass safety systems and circuits," he said.

If a manufacturer has a triple redundant safety system, they probably use the same system for each one of those redundant components. "From a safety and hardware perspective, it makes sense to get an achieved desired level of faults per hour," Singer said. If one single packet will disable the safety system, that same packet will affect the other two, "so you can't look at security of those systems the same way you would safety. Right now you do hazard analysis for safety. So we'd be looking at threat analysis and technical vulnerability analysis on top of that."

Looking at security in relationship to all standards in this way will have a tremendous effect on the industry, although there would not be an immediate impact initially. "But downstream you'll see, if we change the SIL level concept, that will have a wide-reaching impact in how we view the safety of our current systems," Singer said.

"The collaboration with other standards means that security is always mentioned and considered as other standards are developed," Brandl said. "There is now a common belief that the period of false safety we have had, because no one recognized the problem, has now been replaced with a more realistic view of the threats and problems we can expect to see."


Ellen Fussell Policastro is the associate editor of InTech.  Her e-mail is efussellpolicastro@isa.org.