ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Book Excerpt + Author Q&A: Industrial Automation and Control System Security Principles

 

This ISA author Q&A was edited by Joel Don, ISA’s community manager. The second edition of Industrial Automation and Control System Security Principles contains a significant amount of new and enhanced content, covering the latest advances in cybersecurity and critical infrastructure protection from industrial, governmental, and commercial sources. The book is authored by globally recognized security expert Ronald L. Krutz, Ph.D., P.E., CISSP, ISSEP.

 

Q. Why were you compelled to publish an updated edition? What differentiates the second edition from the initial version?

A. I wanted to cover the latest thinking and approaches to industrial automation and control system (IACS) security.  This new edition addresses the most recent, formal methods and their practical applications to IACS security.  The book is able to describe the latest advances in cybersecurity and critical infrastructure protection from industrial, governmental, and commercial sources, and show how they can be practically applied to protect IACS.

Q. Could you outline, in specifics, the new and enhanced areas of content in the second edition?

A. The second edition of my book contains a significant amount of new and enhanced content. This was needed to cover and describe all the significant technologies and methodologies that have been developed since the publication of the first edition.

There is an entirely new chapter, Chapter 9, on emerging approaches to industrial automation and control system security. The new content includes such topics as the Internet of Things (IoT), the Industrial Internet of Things (IIoT), the Open Platform Communications Unified Architecture (OPC UA) (IEC 62541), Industry 4.0, the OWASP “Internet of Things Top Ten”  security categories, Big Data Analytics, the NIST Big Data Interoperability Framework, the NIST Framework for Cyber-Physical Systems, the NIST Framework for Improving Critical Infrastructure Cybersecurity, and Software-Defined Elements.

In addition, Chapter 6 has been significantly updated to include the new versions of NIST Special Publication (SP) 800-53 Revision 4, “Recommended Security Controls for Federal Information Systems;” NIST Special Publication 800-82, Revision 2 “Guide to Industrial Control Systems Security;” and North American Electric Reliability Corporation (NERC), Critical Infrastructure Protection (CIP) Cybersecurity Standards, Version 5.  As in the previous edition, it also includes coverage of ANSI/ISA-99.01.01-2007, “Security Technologies for Industrial Automation and Control Systems;” Department of Homeland Security; Catalog of Control Systems Security Recommendations for Standards Developers;” Advanced Metering Infrastructure (AMI) System Security Requirements; and a tabular Consolidation of Best Practices Controls for Industrial  Automation  and  Control  Systems.

Chapter 5 has been updated to include coverage of the latest attacks on critical infrastructure systems.  In addition to Stuxnet, the overview of malware includes the Shamoon Trojan Horse, Flame modular computer malware, the Norway cyberattack, and Havex.

Chapter 8 includes updated coverage of NIST SP 800-1371, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations;” in applications to Industrial Automation and Control Systems, The Smart Grid Maturity Model (SGMM); and the Introduction to NISTIR 7628, “Guidelines for Smart Grid Cybersecurity.”

I also have added a new appendix, Appendix B to the second edition.  This new appendix comprises ICS Supplemental Guidance for NIST SP 800-53 Security Controls.

The new and updated chapters also include revised end-of-chapter review questions.

Q. What areas of new and enhanced content would you particularly want to highlight and encourage readers to focus on?

I point out the following sections and topic areas as being particularly valuable and informative.

  • Industrial Internet of Things (IIoT)
  • The Open Platform Communications Unified Architecture (OPC UA) (IEC 62541)
  • Industry 4.0
  • Big Data Analytics
  • The NIST Big Data Interoperability Framework
  • NIST Framework for Cyber-Physical Systems
  • NIST Framework for Improving Critical Infrastructure Cybersecurity
  • NIST Special Publication 800-82, Revision 2 “Guide to Industrial Control Systems Security”
  • NIST Special Publication (SP) 800-53 Revision 4, “Recommended Security Controls for Federal Information Systems”
  • Coverage of latest IACS malware

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

 

Meet the Author
Ronald L. Krutz, Ph.D., P.E., CISSP, ISSEP, is a scientist and consultant specializing in cybersecurity services. Dr. Krutz is chief scientist for Security Risk Solutions, Inc. in Mount Pleasant, S.C. He has more than 30 years of experience in industrial automation and control systems, distributed computing systems, computer architectures, information assurance methodologies and information security training. Dr. Krutz has served as: a senior information security consultant at Lockheed Martin, BAE Systems, and REALTECH Systems Corporation; an associate director of the Carnegie Mellon Research Institute; founder and director of the CMRI Computer Engineering and Cybersecurity Centers; a faculty member of the Carnegie Mellon University Department of Electrical and Computer Engineering; and a lead instructor for (ISC)2 Inc. in its Certified Information Systems Security Professionals (CISSP) training seminars. He authored the book, Securing SCADA Systems, and three textbooks on microcomputer system design, computer interfacing and computer architecture. He holds seven patents in the area of digital systems, and has published a variety of technical papers. Dr. Krutz also is a Senior Fellow of the International Cyber Center of George Mason University and a Senior Life Member of the IEEE. He earned bachelor of science, master of science, and doctorate degrees in electrical and computer engineering, and is a registered Professional Engineer in the state of Pennsylvania.

 

Connect with Ronald
LinkedIn

 

Joel Don
Joel Don
Joel Don is an independent content marketing, social media and public relations consultant. Prior to his work in marketing and PR, Joel served as an editor for regional newspapers and national magazines throughout the U.S. He earned a master's degree from the Medill School at Northwestern University with a focus on science, engineering and biomedical marketing communications, and a bachelor of science degree from UC San Diego.

Related Posts

Checking In With Mimo, ISA's Large Language Model Trained on ISA Content

Over the summer of 2024, the International Society of Automation (ISA) announced a large language model (...
Kara Phelps Nov 15, 2024 7:00:00 AM

Ask the Automation Pros: The Use of Artificial Intelligence in Process Control

The following discussion is part of an occasional series, "Ask the Automation Pros," authored by Greg McM...
Greg McMillan Nov 12, 2024 4:30:00 PM

Protecting Electrical Terminal Blocks From Tampering

Electrical terminal blocks are a common sight in the automation world. Usually mounted on DIN rail in ind...
Anna Goncharova Nov 8, 2024 10:30:00 AM