Cybersecurity: Time for Action
By Bill Lydon
Cybersecurity practices are like industrial safety systems and practices; if you do not have them, the need is not obvious until there is a major accident. However, cybersecurity risks pose a real and present danger that many ISA members have recognized for years.
Several years ago, ISA volunteers invested their time and talents to form the ANSI/ISA99 committee on Industrial Automation and Control Systems Security. The ISA99 committee develops and establishes standards, recommended practices, technical reports, and related information. These documents define procedures for implementing electronically secure industrial automation and control systems, security practices, and electronic security performance assessment. By special arrangement with the International Electrotechnical Commission (IEC), these standards are simultaneously submitted to the IEC for internationalization as the ISA/IEC 62443 series of standards.
The ISA Security Compliance Institute (ISCI) was established in 2007 as a cybersecurity standards conformance organization within ISA's Automation Standards Compliance Institute. The focus is to improve the confidentiality, integrity, and availability of components and systems used for industrial automation and control. ISCI provides criteria for procuring and implementing secure control systems and oversees conformance certifications under the ISASecure brand, which certify to the ISA/IEC 62443 series of standards. ISASecure is an independent industry stamp of approval similar to a "safety integrity level" certification (ISO/IEC 61508). A number of automation system suppliers have already achieved the ISASecure Embedded Device Security Assurance certification for their products, which gives instant recognition of product security characteristics and capabilities. In February 2014, ISCI announced the expansion of certification coverage at the ARC World Forum in Orlando, Fla. The new certifications include a system security assurance certification and a product development process certification certifying the security development life-cycle processes for supplier development organizations. See www.isasecure.org.
The Automation Federation and ISA have worked on the early U.S. public-private partnership effort to establish a U.S. Cybersecurity Framework that has now been officially launched. Currently, the second phase of the partnership to implement the framework has begun. The Automation Federation (www.automationfederation.org) is planning a series of implementation seminars throughout the U.S. and abroad. The first implementation seminar was conducted 21 February 2014 in Birmingham, Ala.
What can you do?
You can educate yourself on the ISA standards and the cybersecurity framework. ISA-99 and other standards are available at www.isa.org/standards. The Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 is available on the National Institute of Standards and Technology website. Contribute by getting involved in ISA committees where your industry knowledge, know-how, and experience help form standards that work in the real world. Take advantage of ISA training programs.
You can also get a quick start with the ISA Cybersecurity Tech Pack, which combines critical industry technical papers and PowerPoint presentations written and presented by world-renowned cybersecurity and automation systems experts, as well as notable ISA technical publications, including ISA's latest new title, Industrial Automation and Control Systems Security Principles by Ronald Krutz. As an added bonus, we have packaged our informative cybersecurity articles from InTech. There are descriptions of these industrial cybersecurity technical resources at www.isa.org/cybe/resources.
Asset owners should also include ISASecure certifications as a procurement requirement for automation products from your automation suppliers.
Years ago, there was a television commercial for automotive oil filters that stated, "You can pay me now, or pay me later," which meant that you could pay a small amount for a new oil filter today, or a large amount for a ruined engine later. Cybersecurity is like that, if you do not invest now, the cost after a cyberattack will be much more.
ABOUT THE AUTHOR
Bill Lydon is chief editor for InTech. Lydon has been active in manufacturing automation for more than 25 years. He started his career as a designer of computer-based machine tool controls; in other positions, he applied programmable logic controllers and process control technology. In addition to experience at various large companies, he cofounded and was president of a venture-capital-funded industrial automation software company.