ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

How ISA and Automation Federation Leadership Helped Secure Industrial Control Systems

 

This post was written by Stephen R. Huffman, vice president, marketing and business development, at Mead O’Brien, Inc.

 

Technical leaders had the foresight to create the ISA99 standards committee back in 2002. They recognized the need for cybersecurity standards in areas outside of the traditional information technology (IT), national security, and critical infrastructure areas of concentration at the time.

 

When Automation Federation (AF) refocused its efforts in 2007 with both automation profession advocacy and industrial automation and control system (IACS) cybersecurity as two of its strategic imperatives, we ventured forth to Capitol Hill with a message and a plan. We found that in general our lawmakers equated process and industrial automation as “IT” and thought that IT was already addressing cybersecurity in terms of identity theft and forensics, and that the Department of Defense was handling cyberprotection for national security. For the next several years, AF built its story around cyberthreats in the operational technology (OT) area and how ISA99 through its series of standards, technical reports, and work group output was providing guidance for asset owners, system integrators, and control system equipment manufacturers specifically for securing IACS.

The operating philosophy of IT cybersecurity versus OT cybersecurity is quite different. Although the approach of shutting down operations, isolating cybersecurity issues, and adding patches may work well to mitigate IT breaches, the same cannot be said for operating units in a real-time process. In short, it really is not feasible to “reboot the plant.” The message resonated enough for us to help create the Liebermann-Collins Cybersecurity Senate Bill introduced in 2012, but opposition (more political than reasonable) doomed this first effort. In 2013, the President issued Executive Order 13636 for enhancing cybersecurity protection for critical infrastructure. It included directing the National Institute of Science and Technology (NIST) to establish a framework that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs. Of the more than 200 proposals submitted by organizations receiving a request for proposal, almost all were IT-based.

The AF/ISA submittal took the perspective of operational technology backed by the strength of the existing ISA99 set of standards. After a set of five framework meetings of invited participants, including the AF “framework team,” over the course of 2013, the OT and IACS teams were much more successful in defining the needs, and the automation message was much better understood. NIST personnel with legislative experience with AF on the 2012 Senate bill understood that private industry is a key piece of the cybersecurity and physical security puzzle. AF organized a series of NIST framework rollout meetings in 2014 around the country with attendees from the AF team, NIST, and the White House. The meetings were hosted by state manufacturing extension partnerships, which are state units of NIST.

After these meetings and more work with Senate lawmakers, a bipartisan Senate bill, The Cybersecurity Enhancement Act, was signed by the President and put into law in December 2014 (www.congress.gov/bill/113th-congress/senate-bill/1353). In summary, the act authorizes the Secretary of Commerce through the director of NIST to facilitate and support the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost effectively reduce cyberrisks to critical infrastructure. As you can imagine, ISA99, now IEC/ISA 62443, will play a more prominent role in securing the control systems of industry in the future through a public-private information-sharing partnership. Thanks for the foresight and fortitude of the ISA99 standards committee.

 

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

 

About the Author
Stephen R. Huffman is vice president, marketing and business development, at Mead O’Brien, Inc., and chairman, government relations committee, at Automation Federation. He has a 40-year history of optimizing process systems, developing new applications, and providing technical education. He served as 2007 president of ISA. .

 

Connect with Stephen
LinkedInEmail  

 

A version of this article also was published at InTech magazine

 


Related Posts

Checking In With Mimo, ISA's Large Language Model Trained on ISA Content

Over the summer of 2024, the International Society of Automation (ISA) announced a large language model (...
Kara Phelps Nov 15, 2024 7:00:00 AM

Ask the Automation Pros: The Use of Artificial Intelligence in Process Control

The following discussion is part of an occasional series, "Ask the Automation Pros," authored by Greg McM...
Greg McMillan Nov 12, 2024 4:30:00 PM

Protecting Electrical Terminal Blocks From Tampering

Electrical terminal blocks are a common sight in the automation world. Usually mounted on DIN rail in ind...
Anna Goncharova Nov 8, 2024 10:30:00 AM