Archive

News Subjects

ISA Cyber Security Committee nears completion of first two industry standards

Houston, Texas (October 19, 2006) - In meetings at ISA EXPO this week, the ISA-SP99 Industrial Automation and Control Systems Security committee focused on preparations to issue its first two standards and an updated guideline for committee voting -- while launching a new working group to develop another key standard in the ISA-99 series. The committee decided to issue its Part 1 draft standard in November for what is expected to be a final round of committee voting. This standard, "Security for Industrial Automation and Control Systems: Concepts, Terminology and Models," will define the concepts, terminology, and models of industrial automation and control systems security, establishing the basis for the remaining standards in the ISA-99 series.

"Previous reviews and voting on the Part 1 draft generated over 250 comments from control system security experts across industry," stated ISA-SP99 Principal Editor Eric Cosman of Dow Chemical Company. "This input has considerably strengthened the draft, and we are very confident our upcoming ballot will lead to publication of Part 1 as an American National Standard in early 2007," he added.

Prior reviews and voting on the Part 2 draft standard, "Establishing an Industrial Automation and Control Systems Security Program," resulted in a similar influx of comments that are being factored into a revised draft planned for committee balloting in early 2007. "As with Part 1, the review and commenting process has strengthened the Part 2 draft considerably," stated Part 2 editor James Gilsinn of the National Institute of Standards and Technology (NIST). The Part 2 standard will provide detailed guidance for developing a management system and program for the cyber security of industrial automation and control systems.

"The ISA-SP99 collaboration is meeting vital industry needs for standards that define procedures for implementing electronically secure industrial automation and control systems and security practices, and for assessing electronic security performance," said ISA-SP99 chairman Bryan Singer of Rockwell Automation. "Compliance with the ISA-99 standards and guidelines will ultimately improve the electronic security of these systems, and will help identify vulnerabilities and address them."

The ISA-SP99 committee made two additional major announcements at ISA EXPO:

Launch of a new working group to develop the ISA-99 Part 4 standard, Specific Security Requirements for Industrial Automation and Control Systems, which will provide the details of how security levels can be measured and established for specific systems, hardware and software. Johan Nye of ExxonMobil and Tom Phinney of Honeywell will serve as co-chairs of the working group. Automation industry consultant Dick Oyen will serve as Part 4 editor.

The impending release for committee voting of an update of ISA-TR99.00.01, Security Technologies for Industrial Automation and Control Systems, which provides an evaluation and assessment of current types of electronic security technologies and tools that may be employed by end-user companies for securing these systems against cyber attack. Major input for this revision of the well-received 2004 ISA technical report has been provided by a group of security experts from NIST and the US National Laboratories, led by Robert Evans of Idaho National Laboratory, with key support from the US Department of Energy and US Department of Homeland Security.

Up

The ISA-SP99 Committee Announces New Working Group to Develop the ISA-99 Part 4 Standard October 24, 2006

The ISA-SP99 committee used ISA EXPO to announcements a new working group to develop the ISA-99 Part 4 standard, Specific Security Requirements for Industrial Automation and Control Systems, which will provide the details of how security levels can be measured and established for specific systems, hardware and software. Johan Nye of ExxonMobil and Tom Phinney of Honeywell will serve as co-chairs of the working group, and automation industry consultant, Dick Oyen, will serve as Part 4 editor.

Bob Mick, ARC Advisory Group, commented, "Security understanding in manufacturing operations has progressed far enough that many now need to quantify levels of security that can be maintained against the need to justify spending. This is important work, and the ISA SP99 team is the right place to do it."

Up

First Steps for Cyber Security Standard

May 11th, 2006; The ISA’s cyber security standards committee has issued first ballots for ISA-99 Parts 1 and 2.

The Instrumentation, Systems and Automation Society’s ISA-SP99 standards committee on Manufacturing and Control Systems Security has released the first and second parts of the ISA-99 series of standards for committee review and voting.

The ISA-99 Part 1 standard, “Security for Industrial Automation and Control Systems: Concepts, Terminology and Models,” will define the concepts, terminology, and models of industrial automation and control systems security, establishing the basis for the remaining standards in the ISA-99 series.

The ISA-99 Part 2 standard, “Establishing an Industrial Automation and Control Systems Security Program,” will provide guidance for developing a program for the security of industrial automation and control systems. It will offer detailed guidance on process activities and key elements for establishing a cyber security management system.

What’s secure?

“Our purpose is to establish standards that will define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance,” said ISA-SP99 Chairman Bryan Singer, of Rockwell Automation Inc., Milwaukee. “Compliance with our guidance will ultimately improve manufacturing and control system electronic security, and will help identify vulnerabilities and address them.”

The ISA-SP99 committee addresses industrial automation and control systems whose compromise could result in any or all of the following: impact on national security, endangerment of the public or employees, loss of proprietary or confidential information, violation of regulatory requirements and economic loss.

Other standards planned for the ISA-99 series include:

  • ISA-99 Part 3 - Operating an Industrial Automation and Control System Security Program
  • ISA-99 Part 4 - Specific Security Requirements for Industrial Automation and Control Systems

Previously, the ISA-SP99 committee developed and released two well-received technical reports: ISA-TR 99.00.01 - Security Technologies for Manufacturing and Control Systems; and ISA-TR 99.00.02 - Integrating Electronic Security into the Manufacturing and Control Systems Environment.

Up

Asia boom, security, regulations all forces behind new business

4 October 2007
Asia boom, security, regulations all forces behind new business
By Jim Strothman
Terrorist concerns and tougher environment regulations, coupled with a stronger U.S. economy and booming manufacturing construction in China and India, are among today’s major business drivers, ISA EXPO 2007 exhibitors said.

“We’re seeing security consciousness creeping into all industries—cyber security and physical security, meaning cameras,” said John M. Shaw, executive vice president, GarrettCom Inc., North Andover, Mass. “Extending networks with harsh environments is a major theme for us.

“We’re seeing quite a few power utilities and oil and gas companies interested in both cyber and physical security,” Shaw said. “We also supply the transportation industry,” he said.

“The key for us is the economy is growing in the Houston area, and that’s driving a lot of our traditional business—hazardous locations,” said David Hohenstein, Pepperl+Fuchs’ department manager, hardware and marketing. “Fieldbus has taken a nice expansion in recent times,” Hohenstein said. Houston is also home to major engineering companies, which Pepperl+Fuchs supplies. Several are involved in major construction projects worldwide, he said. “There are mega projects going on in the Asia Pacific regions,” helping boost business, Hohenstein said.

Terrorist concerns by water and wastewater operators is helping Inductive Automation’s business. “Security is a huge issue in the public sector,” said Don Pearson, chief strategy officer for the OPC-certified HMI/SCADA system supplier.

Eric Yax, division manager and a certified vibration specialist for IMI Sensors, Depew, N.Y., said the firm’s fault-detection sensors are selling well in the petrochemical industry in large part because the vibration market is young and his company’s equipment is relatively easy to understand.

“There’s a shortage of trained people in the world of vibration,” Yax said.

“The Alberta (Canada) oil sands, India, and Asia are all hot markets,” said Robert Torgerson, sales & marketing manager for Gayesco, Pasadena, Tex.-based temperature sensor specialists.

“There’s a lot of new construction in India and the rest of Asia. In a couple of years, that’ll happen in the mid-east. South America will follow that,” he predicted.

Gene Urbinati, Ashcroft Inc.’s global product line director for mechanical products, said he is targeting China as a near-term future market. “Both China and India are under-provided.” Meanwhile, Ashcroft is “riding the wave of a good economy,” seeing stepped-up business in commercial construction. Environment concerns, prodded by tougher EPA clean air and water acts, are also stirring up business, he observed.

Oceana Sensor, which Wednesday introduced a new wireless sensor module, said tougher U.S. Food and Drug Administration (FDA) regulations are creating business related to cold storage applications, such as transporting food. The FDA requires accurate monitoring and keeping detailed temperature records, he said—a market opportunity for sensors.

“For us, increased demand for petroleum production is helping business,” said Brad Mueller, president of A-T Controls Inc. He also said production for ethanol is on the upswing, also fueling his company’s sales. “I expect the government will subsidize it (ethanol production),” Mueller said.

Up

ISA Security Compliance Institute Starts Recruitment for All Membership Levels

Research Triangle Park, NC (1 November 2007) -- During a formal planning teleconference last month, Founding Members of the ISA Security Compliance Institute announced the immediate opening of all membership levels in the ISASecure program for industrial automation controls security standards compliance.

Membership levels in the ISA Security Compliance Institute include Strategic Members, Technical Members, and Informational Members. Founding Strategic Members are Strategic Members who have committed to two years of membership and funding to ensure the successful launch of the ISASecure program.

The ISA Security Compliance Institute establishes an ISASecure designation, which identifies and promotes security standards compliant products and systems in the industrial automation controls industry. Certification provides formal recognition of a product's compliance to an industry standard security specification, creating a key differentiator for the product in the marketplace. Compliant products are entitled to carry the ISASecure designation, providing instant recognition of the product's security characteristics to asset owners, integrators, and the buying public.

Other announcements include extending the open period for Founding Strategic Membership applications through 31 December 2007.

The Institute's Founding Members will meet again this month to address organization building, compliance initiatives, and to set the agenda for a Founder's meeting covering governance topics at the SANS Conference, 12-16 January in New Orleans, LA.

"The Founding Members elected to open all membership levels immediately to encourage full participation from the automation controls community," stated Andre Ristaino, Managing Director of ASCI. "We are looking forward to the contributions of talented security experts from key technology providers and asset owners who have made commitments at the Technical Membership level."

Organizations in the automation controls community who are interested in the ISASecure program should contact Ristaino at aristaino@isa.org or 919-990-9222.

Up

ISA-99 Standards: Progress on Many Fronts

November 2007, ISA99: Completes Part 1 Standard and Technical Report Revision The ISA99 committee, Security for Industrial Automation and Control Systems, has made substantial progress on several fronts in its work to develop standards and guidelines for the electronic security of industrial automation and control systems. The committee has completed work on its first standard, Security for Industrial Automation and Control Systems Part 1:Terminology, Concepts and Models, establishing the context for all remaining standards in the ISA99 series by defining a common set of terminology, concepts and models for electronic security. The standard is undergoing final approval by the American National Standards Institute, with publication expected in November 2007. The planned Part 2 standard in the ISA99 series, Establishing an Industrial Automation and Control Systems Security Program, was released recently for committee ballot, and will provide guidance for developing a program for the security of industrial automation and control systems—including detailed guidance on process activities and key elements for establishing a cyber security management system.

ISA99 has established a new working group to develop a further standard in the series, Technical Security Requirements for Industrial Automation and Control Systems to define the characteristics of industrial automation and control systems that differentiate them from other information technology systems from a security point of view; consequently, establishing the security requirements that are unique to this class of systems.

The committee has also completed an updated technical report with publication expected in November 2007. This technical report, Security Technologies for Industrial Automation and Controls Systems, focuses on identifying and evaluating currently available technologies for control systems security, awaiting final approval by the American National Standards Institute.

Up

ISA99 Cyber Security Standard and Updated Technologies Report Now Available

Research Triangle Park, NC (2 January 2008) - A new American National Standard and an update of a widely used technical report on cyber security technologies have been published by ISA.

The new standard, ANSI/ISA-99.00.01-2007, Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models, is the first in a series of ISA standards that addresses cyber security for industrial automation and control systems (IACS). This Part 1 standard focuses on key concepts, terminology and models, and will serve as a foundation for additional standards currently in development in the ISA99 series.

The updated technical report, ANSI/ISA-TR99.00.01-2007, Security Technologies for Industrial Automation and Control Systems, provides an assessment of currently available cyber security tools, mitigation countermeasures, and technologies. The guidelines provided apply to existing and new IACSs used in regulating and monitoring numerous industries and critical infrastructures.

The technical report describes key categories of cyber security technologies, the types of products available in those categories, and the pros and cons of using those products in IACS environments relative to expected threats and known cyber vulnerabilities. Additionally, it provides recommendations and guidance for using those cyber security technology products and countermeasures.

Up

ISA Security Compliance Institute Calls for Input on ISASecure Embedded Controller Security Assurance Conformance Specification

Research Triangle Park, NC (8 August 2008) -- The Technical Steering Committee of the ISA Security Compliance Institute is developing the Embedded Controller Security Assurance segment (ECSA) of the ISASecure conformance specification for industrial automation control systems (IACS). This specification is intended to provide assurances of secure characteristics in network connected IACS devices that monitor and control manufacturing processes in an industrial environment.

The ISA Security Compliance Institute is releasing this Call for Input to encourage a cross section of industry security experts to collaboratively create the Embedded Controller SA conformance specification. The specification will be constructed within the framework of the ISA99 Standard Foundational Requirements, will be measurable and testable and, establish the basis for the first ISASecure conformance tests for devices.

Interested parties are asked to notify the ISA Security Compliance Institute of their interest in contributing to the ECSA via email to Andre Ristaino at aristaino@isa.org by 15 August 2008. Contact Andre Ristaino at aristaino@isa.org to request a copy of the CFI.

The Call for Input document, containing deadlines and further detail, will be posted 04 August 2008 on the home page of ISA Security Compliance Institute website at www.isa.org/ISASecure.

For more information contact Andre Ristaino, Managing Director at 919-990-9222, or email aristaino@isa.org.

Up

New Industrial Cyber Security Management Standard Published by ISA

Research Triangle Park, NC (5 February 2009) - A second standard in the ISA99 series Security for Industrial Automation and Control Systems has been approved by the American National Standards Institute and may be obtained at www.isa.org/standards.

The new standard, ANSI/ISA-99.02.01-2009, Establishing an Industrial Automation and Control Systems Security Program, describes elements to set up a cyber security management system and provides guidance on how to meet the requirements for each element. Topics include policies, procedures, practices, and personnel.

“The great value of this standard is that it draws together the best thinking on industrial cyber security management from experts at leading companies and organizations across the globe,” states Jim Gilsinn of the US National Institute of Standards and Technology. Gilsinn served as the lead editor for the standard.

The new standard follows last year’s publication of the first standard in the series, ANSI/ISA-99.00.01, which serves as the basis of all standards in the ISA99 series by presenting key concepts, terminology, and models. Additional ISA99 standards under development will cover how to operate a security program after it is designed and implemented, and technical security requirements for industrial automation and control systems.

As American National Standards, the ISA99 series serves as the foundation for the IEC 62443 series of the same titles, as being developed by IEC TC65 WG10, “Security for industrial process measurement and control - Network and system security.”

Also vital in ISA’s industry-leading work in cyber security for industrial automation and control systems is the ISA Security Compliance Institute. The Institute will identify and promote security standards-compliant products and systems in industrial applications. Compliant products or systems will be entitled to carry the ISASecure designation, providing instant recognition of the security characteristics to asset owners, integrators, and the buying public. For more information, visit www.isa.org/ISASecure.

Up

ISA99 Plans Working Group on Cyber Security and Safety in Industrial Processes

May 2009 - The chairpersons of the ISA99 Industrial Automation and Control Systems Security committee have announced plans to establish ISA99 Working Group 7 (WG7): Safety and Security of Industrial Automation and Control Systems. This is a joint working group between the ISA99 committee and the ISA84 functional safety standards committee, as well as other international standards programs and related interest groups, to promote greater awareness of the impact of cyber security issues on the safe operation of industrial processes.

The next logical step for the ISA99 standards committee is to investigate how to protect industrial processes against systematic and intentional threats. These cyber security threats against industrial automation and control systems can result in dangerous failures, making the challenge of protecting these systems unique from traditional IT security. As technologies such as wireless, Ethernet, and computer information systems gain increased acceptance in industrial automation, the need for design strategies and methodologies to identify and mitigate risk is clear. Leveraging expertise found in both the ISA84 and ISA99 committees is a solid strategy to address these challenges.

The ISA84 committee represents one of the most significant efforts in functional safety, and has been foundational in the downward trend of dangerous failures in industrial automation. “The ISA84, and subsequent work in IEC 61508 and IEC 61511, identifies cyber security as a potential threat to safe operation, but our scope focuses mostly on hardware faults and device reliability,” says William Johnson, chair of the ISA84 committee. “The ISA99 joint working group with ISA84 represents a significant complement to our work as it addresses faults and emerging threats today that jeopardize safe operations in ways that many were less concerned, even a few years ago.”

ISA99 Working Group 7 will be chaired by Mike Boudreaux of Emerson Process Management and ISA99 co-chair Bryan Singer, of Kenexis Security. James Gilsinn of the National Institute of Standards and Technology (NIST) will serve as the technical editor. The working group’s initial tasks include:

  • Completing a Security Assurance Level methodology for cyber security, similar to that of the current Safety Integrity Levels (SIL) defined in ISA84
  • Defining and developing processes for identifying intentional and systematic threats that can expose process hazards. “Today when we consider only the probability of hardware failures in a hazards analysis, we can miss significant sources of risk to process safety,” says ISA99 co-chair Eric Cosman. “This can be a dangerous assumption, in the modern interconnected and software-driven plant, when considering intentional threats such as viruses, malware, and hackers, but also unintentional systematic faults like poor network performance or network failures. This working group is important to helping engineers solve the problem of cyber security in industrial process safety systems.”

Up

ISA SP99 Security Standards Progress

ISA's SP99 standards development committee is making substantial progress on several fronts in its work to develop standards and guidelines for the electronic security of industrial automation and control systems.

The committee has conducted a second round of voting on the draft standard, Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts and Models. The draft received enough votes to pass, but the committee will evaluate all comments and reissue another draft if necessary. This first standard will establish the context for all of the remaining standards in the ISA-99 series by defining a common set of terminology, concepts and models for electronic security.

The planned Part 2 standard in the ISA-99 series, Establishing an Industrial Automation and Control Systems Security Program, is being prepared for its own second committee ballot in the coming months. This standard will provide guidance for developing a program for the security of industrial automation and control systems-including detailed guidance on process activities and key elements for establishing a cyber security management system.

In addition to the work on the Part 1 and Part 2 standards, ISA-SP99 has also established a new working group to develop a further standard in the series, Specific Security Requirements for Industrial Automation and Control Systems. This standard will define the characteristics of industrial automation and control systems that differentiate them from other information technology systems from a security point of view. Based on these characteristics, the standard will establish the security requirements that are unique to this class of systems.

Beyond its work on the initial standards in the ISA-99 series, the committee is also planning to release a revised and updated technical report, first published in 2004, for committee vote. This technical report, Security Technologies for Industrial Automation and Controls Systems, focuses on identifying and evaluating currently available technologies for control systems security, covering areas including:

  • Authentication and Authorization
  • Filtering/Blocking/Access Control
  • Encryption and Data Validation
  • Audit, Measurement, Monitoring and Detection Tools
  • Operating Systems
  • Physical Security

Each technology is discussed in terms of security vulnerabilities addressed by the technology, typical deployment, known issues and weaknesses, use in the industrial automation and control systems environment, future directions, recommendations and guidance, and references.

ISA's SP99 committee is focused on industrial automation and control systems whose compromise could result in endangerment of the public or employees, regulatory violations, loss of proprietary or confidential information, and national security risks. The concept of manufacturing and control systems electronic security is applied in the broadest possible sense, encompassing all types of plants, facilities, and systems in all industries.

Up

© Copyright ISA, European Office 2010