Results of a recent survey by the Pew Research Center, canvassing more than 1,600 leading experts on the Internet and computer systems and networks, predicted that a major industrial cyberattack will occur sometime within the next 10 years that will cause widespread harm to America’s security and welfare. “Widespread harm” was defined as significant loss of life or property losses/damage/theft in the tens of billions of dollars.
Despite these types of expert predictions and ongoing calls for improved security, not nearly enough is being done in the U.S. and around the world to implement basic industrial cybersecurity measures, most notably best-practice standards, and reinforce them through proper staff training.
As you know, ISA and the umbrella association it founded, the Automation Federation, have been working hard for several years to change this. Indeed, becoming “the leading source of standards, training, and expertise related to the cybersecurity of industrial automation and control systems (IACS) used across industry and critical infrastructure” is one ISA’s five formal strategic goals.
It’s important to recognize that ISA is extremely well positioned to achieve this goal. Furthermore, continued progress in this area by ISA and the Automation Federation is accelerating our forward momentum. In this month’s column of ISA Insights, I wanted to take this opportunity to showcase some of this progress.
At the core of ISA’s marketplace leadership in IACS cybersecurity is the ISA/IEC 62443 set of standards, which are proven to prevent and mitigate IACS security vulnerabilities across all key industry sectors and critical infrastructure. Reducing these vulnerabilities is critical since they can open the door to potentially devastating cyber damage to the industrial plant systems and networks used in power generation, water treatment, refineries and other vital industrial facilities.
Our well-earned expertise in IACS security standards prompted the Obama administration to request ISA’s and the Automation Federation’s assistance in forming and implementing the U.S. Cybersecurity Framework (introduced early last year) and their help in implementing the provisions of the Cybersecurity Enhancement Act of 2014 (signed into law late last year). Clearly, the ISA/IEC 62443 series of cybersecurity standards are integral components of the U.S. government’s current and future plans to combat industrial cyberattack.
As the “Voice of Automation,” the Automation Federation continues to take a highly active and visible role—in government circles as well as in the private marketplace—to improve awareness of industrial cyberattack risks and emphasize the need to take action now to reduce them.
In a column that appears in the May/June issue 2015 of ISA’s InTech magazine, Steve Huffman (Chairman of the Automation Federation’s Government Relations Committee and a former ISA president) applauds the contributions and foresight of the ISA99 standards committee in helping to forge these vital standards.
Below are some of the important cybersecurity initiatives the Automation Federation will be taking a lead role in during the coming weeks and months.
- The U.S. Department of Homeland Security (DHS) has invited the Automation Federation to present a program later this month on the ISA\IEC 62443 security standards to a group of 12 leading insurance carriers that comprise the DHS Cyber Incident Data and Analysis Working Group (CIDAWG.) Automation Federation representatives will encourage the carriers to consider conveying to their manufacturing policy holders the importance of utilizing these security standards and the resources that support them as a means of reducing risk, thereby lowering insurance premiums.
- The DHS also has asked the Automation Federation to take part in a series of cybersecurity meetings across the US with DHS Deputy Secretary Alejandro Mayorkas. In addition, the DHS has asked the Automation Federation to assist in planning a meeting in August with Phyllis Schneck, DHS Deputy Under Secretary for Cybersecurity and Communications, and a group of leading automation suppliers, regarding the implementation of the U.S. Cybersecurity Framework.
- The U.S. National Institute of Standards & Technology (NIST) has requested that the Automation Federation participate in upcoming cybersecurity meetings with international leaders—both in governmental and industry—on the operational issues involved in protecting critical infrastructure.
- Negotiations are underway for the Automation Federation to take part in the 2016 Cyber Shield exercise, which will bring National Guard units from around the country for a special event to be held in Indiana. At the exercise, guardsmen would receive cybersecurity class instruction provided by ISA. Negotiations are expected to completed by August.
- Project Lead The Way (PLTW), a member organization of the Automation Federation, has asked subject matter experts from the Automation Federation to assist in the development of a cybersecurity curriculum to be offered to K-12 PLTW classes. PLTW and Automation Federation representatives plan to meet next month in Indianapolis, Indiana to begin work on this curriculum. The new cybersecurity course work will promote STEM learning and support the Automation Federation’s objective of helping to develop a well-trained cybersecurity workforce of the future.
When confronting cyberthreats, a capable labor force—along with standards—is essential. The ever-rising volume of industrial cyberattacks combined with the increasing diversity and sophistication of cyberwarfare tactics have generated a tremendous demand for qualified industrial cybersecurity professionals. In fact, the demand for cybersecurity professionals is growing 12 times faster than the job market overall.
Here again, ISA is exceptionally well positioned. Our expertise and experience in IACS security and standards development provide the basis for ISA cybersecurity training courses and educational programs of unequaled credibility and authority.
What’s more, ISA has just introduced three new cybersecurity courses that enable it to deliver a comprehensive suite of cybersecurity training solutions and address the complete “lifecycle” of cybersecurity training requirements. Along with its three current IACS security courses—(IC32), (IC32E) and (IC32C)—ISA also now offers:
- Assessing the Cybersecurity of New or Existing IACS Systems (IC33)
- IACS Cybersecurity Design & Implementation (IC34)
- IACS Cybersecurity Operations & Maintenance (IC37)
With all six courses, ISA provides everything from a general overview of industrial automation security to detailed instruction on how to best leverage the ISA/IEC 62443 series to a full-circle exploration of IACS assessment, design, implementation, operations and management.
All three of ISA’s new cybersecurity courses will offer a certificate exam for those who successfully complete course requirements. (ISA already offers a certificate exam—leading to the designation as ISA99 Cybersecurity Fundamentals Specialist—for those who complete IC32 or IC32E.) Passage of each of the three new certificate exams will also bestow specialist recognition. Those who complete all four core ISA cybersecurity courses (IC32, IC33, IC34 and IC37) and pass all corresponding certificate exams will achieve the level of ISA99 Cybersecurity Expert.
As you can readily see, ISA’s not resting on its laurels when it comes to its leadership standing in industrial cybersecurity standards and training. We’re committed to enhancing our visibility and strengthening our capabilities and offerings in these areas.
All ISA members can take pride in the fact that they’re part of an organization working to safeguard our world, livelihood, environment, and communities and the people who work and reside in them.
Making modern life safer, more secure, easier, better. That’s what we do as automation professionals.
Next month, I look forward to updating you on all the events and activities that took place at the Spring Leaders Meeting in Raleigh. As always, I thank you for your contributions to and involvement in our great Society.
A version of this article also has been published in ISA Insights.