In a world that is increasingly becoming more dependent on electronically automated control systems, industrial cyber security is more crucial today than at any time in the past. Out of this reality was born ISA99, a committee-based effort to devise standards and protocols for control systems security.
The ISA99 Committee, established in 2002, consists of industrial cyber security experts from around the globe who are working to develop standards and technical reports for end-users with the aim of establishing common methods and best practices for industrial automation and control systems security.
“[ISA99] is specifically designed to address a wide range of process automation configurations across virtually all industry sectors,” says Eric Cosman, ISA99 co-chair. “Moreover, the standards are being developed with full cooperation and contribution from virtually all major suppliers of industrial automation systems.”
The rules and guidance of the committee are designed to improve confidentiality, integrity, and availability of components or systems used for industrial automation and control. These resulting recommendations are intended to help end-users prevent unwanted access to their systems and electronic data, as well as to identify potential vulnerabilities in their systems to prevent equipment failure.
Concerns over control systems security have steadily increased over the past 10 years, which has heightened awareness among a range of stakeholders. “Greater attention to this risk is also coming from various other areas, such as government, trade associations, and regulators,” says Cosman. “Most recently, the relationship between improved security and process safety is also a subject of increased interest.”
The ISA99 Committee lists the following as its main concerns regarding industrial automation and control systems security breaches:
- Endangerment of public or employee safety
- Loss of public confidence
- Violation of regulatory requirements
- Loss of proprietary or confidential information
- Economic loss
- Impact on national security
“Any asset owner or installation that employs some sort of automated control has the potential to be impacted by cyber risks, regardless of industry or nature of the process,” says Cosman. “The risks arise from both targeted or non-specific attacks. This potential increases as more and more of these systems employ ‘commercial off the shelf’ technologies (e.g., operating systems, networks, etc.). Physical separation (i.e., no network connection) provides only limited protection as attack vectors include portable media and other means.”
The need for a committee like this will only become more important as industrial end-users rely more heavily on automated control systems. Being up-to-date on the most successful security strategies could be key to operating a sustainable and efficient system.
“The most tangible result of the committee’s work is the existence of the various standards and technical reports,” says Cosman. “Three standards and a technical report have been completed and formally published, while six more are available at some level of draft. An additional three work products are still in the planning stage, with first drafts not yet available.”
All drafts are available for review by interested parties at isa99.isa.org.