This ISA author Q&A was edited by Joel Don, ISA’s community manager. The second edition of Industrial Automation and Control System Security Principles contains a significant amount of new and enhanced content, covering the latest advances in cybersecurity and critical infrastructure protection from industrial, governmental, and commercial sources. The book is authored by globally recognized security expert Ronald L. Krutz, Ph.D., P.E., CISSP, ISSEP.
Q. Why were you compelled to publish an updated edition? What differentiates the second edition from the initial version?
A. I wanted to cover the latest thinking and approaches to industrial automation and control system (IACS) security. This new edition addresses the most recent, formal methods and their practical applications to IACS security. The book is able to describe the latest advances in cybersecurity and critical infrastructure protection from industrial, governmental, and commercial sources, and show how they can be practically applied to protect IACS.
Q. Could you outline, in specifics, the new and enhanced areas of content in the second edition?
A. The second edition of my book contains a significant amount of new and enhanced content. This was needed to cover and describe all the significant technologies and methodologies that have been developed since the publication of the first edition.
There is an entirely new chapter, Chapter 9, on emerging approaches to industrial automation and control system security. The new content includes such topics as the Internet of Things (IoT), the Industrial Internet of Things (IIoT), the Open Platform Communications Unified Architecture (OPC UA) (IEC 62541), Industry 4.0, the OWASP “Internet of Things Top Ten” security categories, Big Data Analytics, the NIST Big Data Interoperability Framework, the NIST Framework for Cyber-Physical Systems, the NIST Framework for Improving Critical Infrastructure Cybersecurity, and Software-Defined Elements.
In addition, Chapter 6 has been significantly updated to include the new versions of NIST Special Publication (SP) 800-53 Revision 4, “Recommended Security Controls for Federal Information Systems;” NIST Special Publication 800-82, Revision 2 “Guide to Industrial Control Systems Security;” and North American Electric Reliability Corporation (NERC), Critical Infrastructure Protection (CIP) Cybersecurity Standards, Version 5. As in the previous edition, it also includes coverage of ANSI/ISA-99.01.01-2007, “Security Technologies for Industrial Automation and Control Systems;” Department of Homeland Security; Catalog of Control Systems Security Recommendations for Standards Developers;” Advanced Metering Infrastructure (AMI) System Security Requirements; and a tabular Consolidation of Best Practices Controls for Industrial Automation and Control Systems.
Chapter 5 has been updated to include coverage of the latest attacks on critical infrastructure systems. In addition to Stuxnet, the overview of malware includes the Shamoon Trojan Horse, Flame modular computer malware, the Norway cyberattack, and Havex.
Chapter 8 includes updated coverage of NIST SP 800-1371, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations;” in applications to Industrial Automation and Control Systems, The Smart Grid Maturity Model (SGMM); and the Introduction to NISTIR 7628, “Guidelines for Smart Grid Cybersecurity.”
I also have added a new appendix, Appendix B to the second edition. This new appendix comprises ICS Supplemental Guidance for NIST SP 800-53 Security Controls.
The new and updated chapters also include revised end-of-chapter review questions.
Q. What areas of new and enhanced content would you particularly want to highlight and encourage readers to focus on?
I point out the following sections and topic areas as being particularly valuable and informative.
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:
Meet the Author
Ronald L. Krutz, Ph.D., P.E., CISSP, ISSEP, is a scientist and consultant specializing in cybersecurity services. Dr. Krutz is chief scientist for Security Risk Solutions, Inc. in Mount Pleasant, S.C. He has more than 30 years of experience in industrial automation and control systems, distributed computing systems, computer architectures, information assurance methodologies and information security training. Dr. Krutz has served as: a senior information security consultant at Lockheed Martin, BAE Systems, and REALTECH Systems Corporation; an associate director of the Carnegie Mellon Research Institute; founder and director of the CMRI Computer Engineering and Cybersecurity Centers; a faculty member of the Carnegie Mellon University Department of Electrical and Computer Engineering; and a lead instructor for (ISC)2 Inc. in its Certified Information Systems Security Professionals (CISSP) training seminars. He authored the book, Securing SCADA Systems, and three textbooks on microcomputer system design, computer interfacing and computer architecture. He holds seven patents in the area of digital systems, and has published a variety of technical papers. Dr. Krutz also is a Senior Fellow of the International Cyber Center of George Mason University and a Senior Life Member of the IEEE. He earned bachelor of science, master of science, and doctorate degrees in electrical and computer engineering, and is a registered Professional Engineer in the state of Pennsylvania.