This piece was originally published in the May 2018 issue of electroindustry.
Jim Gilsinn, Principal Engineer, Kenexis
Mr. Gilsinn co-chairs the ISA99 committee, which is developing the ISA/IEC 62443 series of standards.
It’s been more than a decade since the International Society of Automation (ISA) published its first standard on securing industrial automation and control systems (IACS), referred to as the ISA/IEC 62443 series. One of these standards, which was released earlier this year, addressed a secure development lifecycle. Another will be released shortly with functional requirements for IACS components. Manufacturers need to be aware of these standards to build more secure products.
The ISA99 committee has spent considerable effort writing—and rewriting—standards and technical reports to address various aspects of cybersecurity for IACS. In that time, ISA99, in cooperation with the International Electrotechnical Commission (IEC), published seven standards and technical reports. This may seem like a glacial pace, especially given how fast cybersecurity is moving.
Since the initial publication, the IACS cybersecurity landscape has changed drastically. There have been major IACS-targeted malware incidents, including Stuxnet, Havex, BlackEnergy, and Triton, as well as numerous other incidents of IT-style malware spreading to the IACS environment. There are now tools for searching the internet for any device using IACS protocols and security tools for automating attacks against those systems.
With more than 700 members on the ISA99 mailing list and 50 or so active members, why does it take so long to produce anything usable? Creating international consensus standards can be an arduous process, especially with a committee as large as ISA99. People love well-written and usable standards; writing and producing something that is useful to a broad audience, however, is often difficult and tedious. (International standards are one place where there are arguments over the Oxford comma.)
How can the process be sped up? How can standards committees be more responsive to changes in the industry and the security landscape? Is it possible to update them more frequently? These questions are not new and will continue to be asked about almost every consensus standards organization.
One of the biggest challenges is people. ISA99 is a volunteer organization. ISA supports the committee with editorial and clerical help, but the technical work is taken on by people working for IACS organizations. Committee members often take time away from their day jobs to participate in meetings and provide content. Having more people means the workload can be distributed.
Another challenge involves the IEC voting periods, which can be as long as seven months for a single draft version of a standard. ISA has made a commitment to publish the 62443 standards with IEC. This means that ISA99 cannot produce standards as rapidly but also means that the standards are more broadly accepted internationally.
One tactic that ISA99 has taken in cases like Stuxnet, and the more recent Triton, is to gather industry experts to produce a report on ways to improve the standard based on the recent incident. The experts review the available material about the incident and suggest changes to the standard where appropriate.
ISA99 will continue to develop and revise standards for IACS for the foreseeable future. In the end, the hope is to have a high-quality set of functional standards that are broadly usable by many industries.