Flow Control was able to catch up with Eric Cosman, current co-chairman of the ISA99 Committee, to talk about the past, present and future of control systems security. The ISA99 Committee is devoted to developing standards and technical reports for end-users with the aim of establishing common methods and best practices for industrial automation and control systems security. This Q&A serves as a teaser for a feature focus on ISA99 scheduled to appear in the November issue of Flow Control magazine.
Q: How has control systems security, and the level of concern about it, evolved in the industrial segment over the past 5-10 years?
A: Interest in, and concern about, industrial control systems security has been increasing fairly steadily for about the past 10 years. This is a reflection of both increased awareness of risk, as well as the higher profile of these systems within the community of researchers and potential attackers. Greater attention to this risk is also coming from various other areas, such as government, trade associations, and regulators. Most recently the relationship between improved security and process safety is also a subject of increased interest.
Q: Is control systems security something all industrial end-users should be concerned about, or is it exclusive to any specific industries, applications, etc.?
A: Any asset owner or installation who employs some sort of automated control has the potential to be impacted by cyber risks, regardless of industry or nature of the process. The risks arise from both targeted and non-specific attacks. This potential increases as more and more of these systems employ "commercial off the shelf" technologies (e.g., operating systems, networks, etc.). Physical separation (i.e., no network connection) provides only limited protection as attack vectors include portable media and other means.
Q: Why is ISA99 important for industrial end-users to consider when designing their control systems in the modern age?
A: The ISA99 committee was established in late 2002 for the express purpose of developing standards and technical reports in this area. This series is specifically designed to address a wide range of process automation configurations across virtually all industry sectors. Moreover, the standards are being developed with full cooperation and contribution from virtually all major suppliers of industrial automation systems.
The initial plan called for two standards and a technical report. This has now been expanded to a more comprehensive suite of 13 documents. Several of these have been published and many more are available as drafts for comment. These standards are being developed in collaboration with IEC Technical Committee, Working Group 10. The result of this collaboration will be that standards will be almost immediately approved and released as both ISA and IEC international standards.
Q: What are some of the key accomplishments of the ISA99 Committee thus far, and what does the committee expect to accomplish going forward?
A: The committee has been successful in establishing itself as a key source of very specialized expertise in the area of industrial control systems security. All participants are volunteers, bringing experience and expertise from a wide range of vendors and asset owners. The total committee membership is now well over 500. We have also established several formal liaison relationships with other groups working in related areas. These include the previously mentioned IEC TC65 WG10, as well as ISO SC 27, the ISA84 committee on process safety, and several other ISA committees. Potential new liaison relationships are considered as required.
The most tangible result of the committee's work is the existence of the various standards and technical reports. Three standards and a technical report have been completed and formally published, six more are available as some level of a draft. An additional three work products are still in the planning stage, with first drafts not yet being available.
ISA standards are developed using an open, ANSI accredited process; therefore, all drafts are available for review and comment by interested parties.
More information about ISA99 is available at http://isa99.isa.org.
Eric C. Cosman is an industry leader in the area of industrial systems cyber security, with a specific emphasis of the implications for manufacturing operations. He is a founding member and the current co-chairman of the ISA99 Committee on industrial automation and control systems security and the vice president of standards and practices at the International Society for Automation (ISA). Eric is also a consulting engineer with The Dow Chemical Company.