The ISA Global Cybersecurity Alliance (ISAGCA) seeks in the year ahead to advocate inclusion of the ISA/IEC 62443 series of cybersecurity standards in global policies that intend to improve critical infrastructure cybersecurity, and publish a fully detailed, auditable cross-referencing guide that maps the ISA/IEC 62443 standards to other cybersecurity standards across multiple industries.
The alliance plans to issue comparison analysis reports that identify the implications of selecting and applying the ISA/IEC 62443 series of standards and help minimize the effort it takes to comply with cybersecurity standards and policies, ISAGCA said in a press statement. It will also create an insurance underwriters’ work group that will determine how to leverage ISA/IEC 62443 standards to create and adjust cybersecurity-related insurance policies.
The ISAGCA was created by the International Society of Automation (ISA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. It brings together end-user companies, control system vendors, IT and operational technology (OT) infrastructure providers, system integrators and other cybersecurity stakeholder organizations to proactively address growing threats.
The objectives of the ISAGCA include the acceleration and expansion of standards, certification, education programs, advocacy efforts, and thought leadership. Member companies will identify and prioritize initiatives, work to proliferate adoption of, and compliance with, global standards, and contribute to workforce education and certification programs.
Made up of 40 member companies, the ISAGCA will publish a two-part report that analyzes the use of ISA/IEC 62443 standards to secure IIoT reference architectures. It will also formalize recommended best practices to improve cyber incident response plans, in collaboration with the ICS4ICS public-private partnership tasked with creating an incident command system for industrial control systems.
The group also plans to make available a slate of new educational training, including an operations technology-focused course on basic cybersecurity hygiene for technicians and operators and microlearning modules about cybersecurity principles and the basics of the ISA/IEC 62443 standards.
“Given how important the ISA/IEC 62443 standard has become to limiting, mitigating, and even eliminating these threats, the projects and programs we have launched within the ISA Global Cybersecurity Alliance this year will deliver clarity, alignment, and education and further our collective ability to improve control and automation systems cybersecurity,” said Megan Samford, ISAGCA advisory board chair. She is also vice president and chief product security officer for Schneider Electric’s energy management business.
The ANSI/ISA 62443 series of automation and control systems cybersecurity standards, which were developed primarily by ISA, have been adopted by the International Electrotechnical Commission as IEC 62443 and endorsed by the United Nations. The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. The standards approach the cybersecurity challenge holistically, bridging the gap between operations and information technology.
“Consistent, global adoption of the ISA/IEC 62443 series of standards will help vendors, third parties, end users—indeed the entire digital supply chain—effectively and proactively manage risks to their people, assets, and operations,” said Sharul Rashid, ISAGCA advisory board vice chair. He is also custodian engineer and group technical authority of instrumentation and control at PETRONAS.
Last March, the ISA and the ISAGCA released a consensus-based automation cybersecurity standards guide, which provides a high-level view of the objectives and benefits of these standards, in addition to the easy-to-use explainers on how to navigate them. The guide explores how and why IT and OT/ICS need unique types of protection against cyber threats and offers the latest recommendations on patch management.