“The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: ‘Cybersecurity is much more than an IT topic.’” - Stephane Nappo, Global Head Information Security for Société Générale International Banking
October is Cybersecurity Awareness Month here in the US where I live. The Cybersecurity & Infrastructure Security Agency (CISA) coordinates events throughout the month to help promote awareness in individuals and organizations. Many large, multinational companies organize their own events this month for the same reason. Cybersecurity incidents are a major risk to individuals and organizations. Understanding and managing this risk is something everyone needs to be able to do.
Most of you reading this will no doubt be aware that cybersecurity in the context of control system environments is a very different matter to what some might consider as cybersecurity. While the impact of a ransomware attack on an IT system can be significant to the organization affected, the impact of a cybersecurity incident on a basic process control system or safety system can result in devastating consequences, including harm to people, damage to the environment, and major operational impacts such as damage to expensive machinery or production outages.
ISA started the process of developing standards for security in industrial automation and control systems (IACS) in 2002. The ISA99 committee continues to develop standards with over 1,200 individuals from all over the world in all sectors. ISA/IEC 62443 is the world’s only consensus-based security standard for IACS and codifies hundreds of person-years of operational technology and Internet of Things (IoT) cybersecurity subject matter expertise.
Back in 2002, the US was recovering from the terrorist attacks of 9/11, and that, together with some other notable security incidents such as in Maroochydore, Australia, it made clear that control systems security needed to be addressed. Around that time, I began my journey on the control systems security path with a meeting in a secure government building on the banks of the River Thames, London, UK. Asset owners and vendors came together with UK government officials to discuss how to tackle this problem. While much has changed in the last 20 years, I can also say that some things have not changed enough. Go to any industrial facility today and you will find security vulnerabilities that should not be there. I believe our profession still has much to do if we are going to properly manage the security risk posed to our control system environments.
This is something that ISA is uniquely placed to address:
- ISA’s cybersecurity certificate program covers the complete lifecycle of IACS assessment, design, implementation, operations, and maintenance. The cybersecurity certificates are awarded to those who successfully complete a designated training course and pass a multiple-choice exam. The training course and exam can easily be taken online.
- The ISA Global Cybersecurity Alliance (ISAGCA) was formed to accelerate adoption of standards, certification, education programs, support advocacy efforts, and promote thought leadership. Member companies identify and prioritize initiatives, work to proliferate adoption of and compliance with global standards, and contribute to workforce education and certification programs.
- Our Safety and Security Division is actively working to help our profession with this challenge. I believe there is nothing more important in our profession than understanding the relationship between safety and security. The division recently recorded an OnPoint (free for ISA members) about using CHAZOP (Control/Computer HAZard and OPerability) for the evaluation of automation systems. Building on the successful HAZOP technique, CHAZOP provides a systematic, multi-disciplinary technique to improve the safety, security, and operability of computer-based control systems. It is used as a complementary failure mode & effects diagnostics analysis (FMEDA) tool after the completion of HAZOP to refine the automation specifications.
- ISA has many publications that are available to improve knowledge and awareness in our profession. I wrote the Mission Critical Operations Primer to help support a US Government-funded entry-level program called Certified Mission Critical Professional, with an emphasis on industrial security. ISA recently published a book called Security PHA Review, by Edward Marszal and Jim McGlone, with the theme of using proven safety methods to better understand and manage industrial security risks. I recently finished a final draft of a new book on industrial security which continues this important theme.
- ISA is hosting a conference on cybersecurity standards implementation. This event is focused on how to adopt the ISA/IEC62443 series of standards in a smart, proactive, and efficient way. Properly implemented, the series of standards will drive operational excellence—and this conference will teach people how.
I believe organizations need to better manage their cybersecurity risk by:
- Investing time and effort into developing their people with training;
- Investing in newer technologies, lifecycle upgrades, and better security technologies, and;
- Creating clear policies, procedures, guidelines, and roadmaps aimed at improving their processes to better reflect the threat they face.
ISA can help organizations through this process by training people and helping them understand how to select the right technologies and develop the right policies, procedures, and guidelines.
As always, feel free to contact me if you have any thoughts or comments. What do you need to help manage your organization’s cybersecurity risk? Share any ideas with me on how ISA can help our profession in this critical area. Properly understanding and managing cybersecurity risk is essential if we are to build a better world through automation.