The chairpersons of the ISA99 Industrial Automation and Control Systems Security committee have announced plans to establish ISA99 Working Group 7 (WG7): Safety and Security of Industrial Automation and Control Systems. This is a joint working group between the ISA99 committee and the ISA84 functional safety standards committee, as well as other international standards programs and related interest groups, to promote greater awareness of the impact of cyber security issues on the safe operation of industrial processes.
The next logical step for the ISA99 standards committee is to investigate how to protect industrial processes against systematic and intentional threats. These cyber security threats against industrial automation and control systems can result in dangerous failures, making the challenge of protecting these systems unique from traditional IT security. As technologies such as wireless, Ethernet, and computer information systems gain increased acceptance in industrial automation, the need for design strategies and methodologies to identify and mitigate risk is clear. Leveraging expertise found in both the ISA84 and ISA99 committees is a solid strategy to address these challenges.
The ISA84 committee represents one of the most significant efforts in functional safety, and has been foundational in the downward trend of dangerous failures in industrial automation. “The ISA84, and subsequent work in IEC 61508 and IEC 61511, identifies cyber security as a potential threat to safe operation, but our scope focuses mostly on hardware faults and device reliability,” says William Johnson, chair of the ISA84 committee. “The ISA99 joint working group with ISA84 represents a significant complement to our work as it addresses faults and emerging threats today that jeopardize safe operations in ways that many were less concerned, even a few years ago.”
ISA99 Working Group 7 will be chaired by Mike Boudreaux of Emerson Process Management and ISA99 co-chair Bryan Singer, of Kenexis Security. James Gilsinn of the National Institute of Standards and Technology (NIST) will serve as the technical editor. The working group’s initial tasks include:
· Completing a Security Assurance Level methodology for cyber security, similar to that of the current Safety Integrity Levels (SIL) defined in ISA84, and
· Defining and developing processes for identifying intentional and systematic threats that can expose process hazards.
“Today when we consider only the probability of hardware failures in a hazards analysis, we can miss significant sources of risk to process safety,” says ISA99 co-chair Eric Cosman. “This can be a dangerous assumption, in the modern interconnected and software-driven plant, when considering intentional threats such as viruses, malware, and hackers, but also unintentional systematic faults like poor network performance or network failures. This working group is important to helping engineers solve the problem of cyber security in industrial process safety systems.”
Founded in 1945, the International Society of Automation (www.isa.org) is a leading, global, non-profit organization that is setting the standard for automation by helping over 30,000 worldwide members and other professionals solve difficult technical problems, while enhancing their leadership and personal career capabilities. Based in Research Triangle Park, North Carolina, ISA develops standards; certifies industry professionals; provides education and training; publishes books and technical articles; and hosts the largest conference and exhibition for automation professionals in North America. ISA is the founding sponsor of The Automation Federation (www.automationfederation.org).