ISA releases site assessment program for OT cybersecurity, compliant with ISA/IEC 62443 standards

The International Society of Automation (ISA), along with the ISA Security Compliance Institute (ISCI), announced this week its intention to create an all-new conformity assessment scheme for automation systems deployed at operating sites. The site assessment program is based on the ISA/IEC 62443 consensus-based automation and control systems cybersecurity standards. It will apply to all types of automation and control systems in industries ranging from traditional process industries to critical infrastructure such as oil and gas, chemicals, and water/wastewater.

The move is vastly recognized as a ‘critical and long overdue addition to the landscape of operational technology (OT) cybersecurity solutions.’ The program will encourage the broad industry adoption of the ISA/IEC 62443 operating site cybersecurity standards and best practices. ISA and ISCI plans include building and overseeing a related training and credentialing program for site assessors. ISA and other training organizations already offer training for the ISA/IEC 62443 operating site standards.

The ISA anticipates a development schedule of 12 to 14 months and expects to formally launch the program in the fourth quarter of this year or early next year. 

The OT cybersecurity site assessment scheme would certify individual automation and control systems that are in the operation and maintenance phase of their security lifecycle at end-user sites. The scope would be all types of automation and control systems in all industries, beginning with traditional process industries and adjacent industries in critical infrastructure like oil and gas, chemicals, and water/wastewater. 

The second target market segment will be the building technology sector starting with traditional office buildings/commercial real estate, with its partners at Building Cybersecurity BCS.

The new scheme includes a site assessment program and a site certification program. The result of an operating site certification will be a third-party certificate of conformance which independently confirms that a designated system in the scope of the evaluation is conformant to all requirements referenced in the five ISA/IEC 62443 standards listed in the certification scheme. The full set of ISA/IEC 62443 requirements would have to be met to receive a certification, including requirements from ISA/IEC 62443 parts 2-1, 2-3, 2-4, 3-2, and 3-3. 

The result of an operating site assessment will be a standardized assessment report, compiled by a third party, that identifies the requirements to which the designated system in the scope of the evaluation is conformant and lists the requirements to which the system is non-conformant.

Going forward, this program will include a training component and will fund the ISA training department to build and oversee related training and credentialing programs. These credentials will be highly sought after, similar to the existing ISA/IEC 62443 cybersecurity training pathways and other professional cybersecurity designations.

The intended outcome is to encourage broad industry adoption of the ISA/IEC 62443 operating site cybersecurity standards and best practices by companies, the inclusion of them in internal operating standards, and expansion to multiple industry sectors. This broad adoption is what is needed to secure automation that affects daily lives. 

The proposed scheme assesses the problem as suppliers having rallied around and adopted the ISA/IEC 62443, and its certification scheme, ISASecure for commercial-off-the-shelf (COTS) automation and control system products. “But asset owners and plant managers have yet to coalesce around a single cybersecurity assessment scheme for OT deployed at operating sites…relying instead upon a patchwork of third-party solutions that may not promote ICS security best practices and may leave operating sites vulnerable,” it added.

To cope with this, the ISA seeks to establish an ISA/IEC 62443-based operating site cybersecurity assessment scheme that will become the global standard used by operating sites, certification bodies, internal auditors, and public policymakers. When fully adopted by all stakeholders, the scheme will be similar to GAAP (Generally Accepted Accounting Procedures) rules published by the FASB, and used by any organization, financial auditors, and regulatory authorities. 

ISA said that it anticipates the demand for this program to be even higher than the market for existing OT certifications. 

ISA has offered the ISASecure certification scheme for the ISA/IEC 62443 standards, beginning with certifying commercial-off-the-shelf (COTS) automation and control systems since 2007—a program that is globally recognized as the gold standard for product certification in this arena. ISASecure continues to expand coverage with its recent announcement of certifications for IIOT components to the ISA/IEC 62443 standards, and plans for a Certified ISASecure Assessor designation.

Taken together with ISASecure’s existing position in the market, these plans and the proposed site assessment program make the ISASecure line of certifications a recognized one-stop shop for OT cybersecurity conformity assessment.

To begin the development of the certifications, ISASecure is seeing stakeholder funding commitment in the form of membership dues, donations, and volunteer time. “With $250,000 in seed money provided by ISA, we are now seeking a minimum of $1.62 million from the community of interest to begin the work. We anticipate a development schedule of 12-14 months and will hope to launch the program in Q4 2023,” it added.

​​“We are inviting companies who are interested in supporting and promoting this program to participate; particularly end-users whose support is critical to this program’s success. Supporters may participate in specification development, provide funding, or simply provide public support,” Andre Ristaino, managing director of ISA Consortia and Conformity Assessment Programs, said in a media statement. 

“The proposed site assessment scheme will have a critical role in the OT cybersecurity landscape—the automation systems at the operating site itself,” Brandon Price, senior principal engineer for ICS cybersecurity at ExxonMobil and current ISCI Board Chairman, said. “This standards-based program is unique, and we anticipate it will become the global standard used by operating sites, certification bodies, internal auditors, and public policymakers.”

The new site assessment program comes at a time when a cybersecurity expert has called upon company executives, risk managers, board of directors, insurance companies, and credit rating agencies to recognize the economic and safety benefits of process sensor monitoring.

“The flip side is not only unnecessary shutdowns, but also unsafe and inefficient operation,” Joe Weiss wrote in his latest blog post. “It is vital that a ‘non-hackable,’ ground-truth view of the physical process be available regardless of the state of IT and OT networks. Moreover, process sensor monitoring is agnostic with respect to the cause of an anomaly. Whether that anomaly comes from sensor miscalibration, sensor drift, process or equipment anomalies, or cyber threats, the monitoring will flag it as anomalous,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.