New ISA position paper urges reliance on relevant standards, training to advance industrial cybersecurity

The International Society of Automation (ISA) published a new position paper that offers recommendations on how policymakers and private-sector leaders can effectively address the pressing issue of enhancing critical infrastructure cybersecurity. Released this week, the paper uses globally relevant standards and conformance programs and delivers support for the community of engineers and automation professionals working on keeping facilities, processes, and communities safe.

Titled ‘Advancing Industrial Cybersecurity,’ the paper outlines that the impacts of cyber intrusions on banking, business, and government networks, and databases have been widely publicized and are well known to the general public. Much less publicized and understood are the devastating impacts to public safety and welfare that could result from cyber-attacks on the networks and technology that underlie the vast critical infrastructure and manufacturing sectors on which all modern economies depend. 

While certain high-profile incidents have made international news, such as TRISIS, NotPetya, and STUXNET, in fact, control system cyber incidents have been more numerous and more impactful than most people have been aware, the position paper said. 

“At the core of this challenge is identifying control system events and reportable cyber incidents. Understanding the unique nature of control system equipment —and the impact of a compromise of that equipment on physical processes— requires specialist training for the engineering and automation community,” the paper detailed. “Such training is available from the International Society of Automation (ISA); however, a major concern is that not enough engineers are equipped for the unique and growing challenges of the industrial cybersecurity environment.” 

It added that training is just one need among many – in reality, what a lot of organizations require is a cultural shift that prioritizes cybersecurity alongside functionality, efficiency, and safety as one of the fundamental workplace tenets. “Until organizations prioritize cybersecurity at this level, even the best equipped and most trained engineers will be challenged to fully protect their industrial or infrastructure environment.”  

“In addition to raising awareness about the existing standardization solutions to support critical infrastructure, our position paper calls for greater awareness, education, and training to equip engineers for the unique and growing challenges of the industrial cybersecurity environment,” Steve Mustard, ISA Treasurer and industrial cybersecurity subject matter expert, said in a press release. “Training is just one need among many. In reality, what a lot of organizations require is a cultural shift that prioritizes cybersecurity alongside functionality, efficiency, and safety as one of the fundamental workplace tenets.”

The ISA paper said that the U.S. National Cybersecurity Strategy and its Implementation Plan address these dangers by explicitly calling for expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance. They also call for enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services. 

“However, the National Cybersecurity Strategy does not address the need for the engineering community to be involved, nor is the focus on control systems and processes. Further, the strategy does not specifically mention the leading consensus standards and conformance programs for industrial cybersecurity,” the ISA said. “The European Union (EU)’s second iteration of the Network and Information Systems (NIS) Directive, NIS2, contains stricter rules and applies to a broader set of industries. Together with the EU’s Critical Entities Resilience directive, this will see member states incorporating key provisions on cybersecurity into their national law.” 

To help address the challenge of protecting critical infrastructure, ISA produces a series of international consensus standards addressing the security of industrial automation and control systems. 

The ISA/IEC 62443 series of standards provides other guidance that provides a flexible and comprehensive framework to address and mitigate current and future security vulnerabilities in those systems. “This series of standards meets the World Trade Organization’s criteria for international standards. The International Electrotechnical Commission (IEC), one of three United Nations-sanctioned standards developers, has adopted the series, and designated it as having ‘horizontal’ status, establishing primacy across the entirety of the vast range of IEC technical committees and subcommittees on matters pertaining to cybersecurity in industrial, critical infrastructure, and related applications.”

The paper also disclosed that the United Nations Economic Commission for Europe has integrated the series into its Common Regulatory Framework on Cybersecurity, which serves as an official UN policy position statement for Europe. 

ISA takes the position that mandating cybersecurity measures with prescriptive regulations is undesirable. Instead, regulations should support the use of risk-based approaches based on published consensus-based technical standards and conformance measures. It also identified that specific standards that take account of the unique characteristics of industrial automation and control systems should be used in preference to more general information technology standards.

The association recommends that governments looking to secure their critical infrastructure should adopt by reference the ISA/IEC 62443 series of consensus standards addressing the security of industrial automation and control systems. They must also direct their regulations towards ensuring that critical infrastructure owner-operators apply a formal risk-based approach to cybersecurity management.

It suggests that organizations looking to secure their critical infrastructure should support their front-line engineers by fostering a cybersecurity culture within their organization, which prioritizes cybersecurity alongside other fundamental workplace tenets like efficiency and safety They must also provide ample opportunities for engineers to be trained and certified on the specific requirements of cybersecurity of industrial automation and control systems.

The ISA is committed to developing and maintaining consensus-based standards, conformance programs, and guidance that secure industrial automation and control systems using a flexible risk-based approach that ensures any size organization in any sector can use it appropriately and efficiently. 

It is also focused on providing training resources to advance the understanding and application of the standards, promoting the adoption of standards providing vendor- and sector-agnostic guidance on how to apply these standards, and working with governments around the world to adopt standards and guidance to secure critical infrastructure. 

In conclusion, the ISA position paper identifies that an industrial automation and control system is so much more than its hardware. It also includes the people and work processes needed to ensure the safety, integrity, reliability, and security of the control system. Policymakers and private-sector organizations alike must strongly consider the need for compliance with global consensus standards for industrial automation and control system cybersecurity, and must also create a culture of support and continuous training for the engineers who keep control systems operating at their best.

Earlier this month, the Industry IoT Consortium (IIC) and the International Society of Automation (ISA) announced updates to the IoT Security Maturity Model (SMM): ISA/IEC 62443 Mappings for Asset Owners and Product Suppliers and Service Suppliers. The updates also consider significant updates to the 62443-2-1 standard for industrial automation and control systems security programs.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.