The International Society of Automation Global Cybersecurity Alliance recently announced its priorities for 2021. The ISAGCA’s priorities for the year ahead indicate a renewed focus on the ISA/IEC 62443 series of cybersecurity standards. These standards provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems
“Consistent, global adoption of the ISA/IEC 62443 series of standards will help vendors, third parties, end users—indeed the entire digital supply chain—effectively and proactively manage risks to their people, assets, and operations,” ISAGCA Advisory Board Vice Chair Sharul Rashid, Custodian Engineer and Group Technical Authority of Instrumentation and Control at PETRONAS, said in a press release.
The ISA created the ISAGCA to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. It is made up of 40 member companies, bringing together end-user companies, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations.
“The march of digital technology and open process automation initiatives means global industry continues to advance at great pace,” Rashid said. “But in our haste to reap the benefits of digitalization, we must not lose sight of cybersecurity as a key piece of the productivity puzzle. Our priorities this year will help keep global focus on securing critical assets from harm.”
In 2021, the organization plans to prioritize advocating for the inclusion of the ISA/IEC 62443 series of cybersecurity standards in global policies around improving critical infrastructure cybersecurity. The ISAGCA has also committed to publishing a detailed, auditable cross-referencing guide that maps the ISA/IEC 62443 series of standards to other cybersecurity standards across multiple industries.
“The technologies that control and automate the world’s most critical operations, including the facilities where we work and live, are under constant threat and attack,” ISAGCA Advisory Board Chair Megan Samford, Vice President and Chief Product Security Officer for Schneider Electric’s Energy Management business, said in the release.
The ISAGCA also plans to issue comparison analysis reports that identify the implications of selecting and applying the ISA/IEC 62443 series of standards and help minimize the effort it takes to comply with cybersecurity standards and policies. The group has pledged to create an insurance underwriters’ work group that will determine how to leverage ISA/IEC 62443 in creating and adjusting cybersecurity-related insurance policies. They will also publish a two-part report that analyzes the use of ISA/IEC 62443 to secure IIoT reference architectures.
This year, the ISAGCA will also release a slate of new educational training, including an operations technology-focused course on basic cybersecurity hygiene for technicians and operators and microlearning modules about cybersecurity principles and the basics of the ISA/IEC 62443 series of standards.
“Given how important the ISA/IEC 62443 standard has become to limiting, mitigating, and even eliminating these threats, the projects and programs we have launched within the ISA Global Cybersecurity Alliance this year will deliver clarity, alignment, and education and further our collective ability to improve control and automation systems cybersecurity,” Samford said.
Industrial Cyber talked to Samford about the standards and why the ISAGCA decided to prioritize them this year.
“ISA Global Cybersecurity Alliance is the cross-sector forum advocating for adoption of ISA/IEC 62443 as the automation control systems cybersecurity standard for consistently managing risk,” Samford says. “We have always been focused on the series of standards, but this year, we are taking extra measures to drive awareness and ease implementation because the series is proven in use to eliminate, reduce, and mitigate cyber risks across segments and markets. Our 2021 priorities reflect different ways that we plan to advance that conversation with multiple industry sectors.”
Samford says the operational technology used to automate critical infrastructure and commercial facilities that are integral to our daily life are experiencing a rapid increase in cybersecurity attacks. She attributes this increase to the push toward digitalization which tends to create new cybersecurity gaps when security is not included at the foundation of digital strategy.
“COVID-19 forced new working and operating models on companies who were not adequately prepared or knowledgeable about how the security of their operations would be affected,” Samford says. “We’ve seen a marked increase in digital supply chain risks, like SolarWinds, Ripple20, etc. As a result, OT has become a bigger playground for bad actors — and the means, resources, skills, and motivation of attackers has increased significantly.”
According to the ISAGCA, the consequences of a cyber attack on an industrial automation control system can include endangerment of public or employee safety or health, damage to the environment, damage to equipment and loss of product integrity.
“The impact of cybersecurity incidents can be serious, affecting life, safety, the environment, and economic viability across sectors,” Samford says. “Public and private sectors need clarity and alignment on how to improve control systems cybersecurity, and we believe leveraging a common set of industry-adopted and proven standards is the best path forward.”
The standards define requirements and procedures for implementing electronically secure IACS and security practices and assessing electronic security performance. They have been adopted by the International Electrotechnical Commission as IEC 62443 and endorsed by the United Nations.
“ISA/IEC 62443 standards provide consistent language and mature controls to manage cyber risk,” Samford says. “The series of standards, which has already been adopted by the world’s foremost providers of automation systems, software and solutions, enables asset owners and the entire automation and control systems ecosystem to manage the cyber risks that threaten their people, assets and operations, including their systems and devices. The ISA/IEC 62443 family of standards complements other security frameworks and standards, such as NIST (CSF, 800-53, 800-82), by addressing the technical and operational requirements of automation and control systems.”
The ISA/IEC 62443 standards are divided into different sections and describe both technical and process-related aspects of industrial cybersecurity with role-based guidance for operators, service providers, and the manufacturers. They provide information related to establishing an IACS security program, patch management in the IACS environment, security program requirements for IACS service providers, and implementation guidance for IACS asset owners.
“By leveraging the ISA/IEC 62443 series of standards, critical infrastructure and commercial facilities will be better protected against cyber threats because the ecosystem of suppliers, asset owners, and service providers will have a common security framework that is both proven in use and purpose-built for automation and control systems,” Samford says.