Technical leaders had the foresight to create the ISA99 standards committee back in 2002. They recognized the need for cybersecurity standards in areas outside of the traditional information technology (IT), national security, and critical infrastructure areas of concentration at the time.
When Automation Federation (AF) refocused its efforts in 2007 with both automation profession advocacy and industrial automation and control system (IACS) cybersecurity as two of its strategic imperatives, we ventured forth to Capitol Hill with a message and a plan. We found that in general our lawmakers equated process and industrial automation as “IT” and thought that IT was already addressing cybersecurity in terms of identity theft and forensics, and that the Department of Defense was handling cyberprotection for national security. For the next several years, AF built its story around cyberthreats in the operational technology (OT) area and how ISA99 through its series of standards, technical reports, and work group output was providing guidance for asset owners, system integrators, and control system equipment manufacturers specifically for securing IACS.
The operating philosophy of IT cybersecurity versus OT cybersecurity is quite different. Although the approach of shutting down operations, isolating cybersecurity issues, and adding patches may work well to mitigate IT breaches, the same cannot be said for operating units in a real-time process. In short, it really is not feasible to “reboot the plant.” The message resonated enough for us to help create the Liebermann-Collins Cybersecurity Senate Bill introduced in 2012, but opposition (more political than reasonable) doomed this first effort. In 2013, the President issued Executive Order 13636 for enhancing cybersecurity protection for critical infrastructure. It included directing the National Institute of Science and Technology (NIST) to establish a framework that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs. Of the more than 200 proposals submitted by organizations receiving a request for proposal, almost all were IT-based.
The AF/ISA submittal took the perspective of operational technology backed by the strength of the existing ISA99 set of standards. After a set of five framework meetings of invited participants, including the AF “framework team,” over the course of 2013, the OT and IACS teams were much more successful in defining the needs, and the automation message was much better understood. NIST personnel with legislative experience with AF on the 2012 Senate bill understood that private industry is a key piece of the cybersecurity and physical security puzzle. AF organized a series of NIST framework rollout meetings in 2014 around the country with attendees from the AF team, NIST, and the White House. The meetings were hosted by state manufacturing extension partnerships, which are state units of NIST.
After these meetings and more work with Senate lawmakers, a bipartisan Senate bill, The Cybersecurity Enhancement Act, was signed by the President and put into law in December 2014 (www.congress.gov/bill/113th-congress/senate-bill/1353). In summary, the act authorizes the Secretary of Commerce through the director of NIST to facilitate and support the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost effectively reduce cyberrisks to critical infrastructure. As you can imagine, ISA99, now IEC/ISA 62443, will play a more prominent role in securing the control systems of industry in the future through a public-private information-sharing partnership. Thanks for the foresight and fortitude of the ISA99 standards committee.