There used to be dozens of different government, trade organization and corporate efforts on cybersecurity, but most of them were unaware of the others and what they were doing. Now, most are organized around the U.S. Dept. of Homeland Security and its Industrial Control Systems-Cyber Emergency Response Team with help from the National Institute of Standards and Technology. Likewise, several standards efforts are underway to establish uniform best practices by the International Society of Automation, the International Electrotechnical Commission and other groups.
SEE ALSO: Cybersecurity Threats Are Everywhere
"In the U.S., perhaps the most significant current activity is the development of a critical infrastructure Cybersecurity Framework in partial response to President Obama's executive order in February," says Eric Cosman, engineering consultant at Dow Chemical and co-chair of the ISA-99 cybersecurity committee. "The framework is expected to be submitted to the president later this year, and made generally available in early 2014." More information about the framework is at NIST's web page at www.nist.gov/itl.
"In the area of standards and certification, work continues on developing standards in the ISA/IEC 62443 series, as well as certification systems via the ISA Security Compliance Institute's ISASecure effort," Cosman adds. "ISA-62443-3-3 standard, 'System Security Requirements and Security Levels,' was approved by ISA and will be issued soon; the IEC version is being translated."
Cosman says there have been formal liaison relationships between various cybersecurity groups and committees for some time. "For example, there's been cooperation between the ISA-99 committee and IEC TC 65 WG10 in developing the ISA/IEC 62443 standards," he says. "ISA and the Automation Federation also have several people contributing to development of the NIST framework. Recently, ICS-CERT Joint Working Group (ICSJWG) formed a standards subgroup to facilitate communications and cooperation between the private and public sectors, particularly for reviewing and promoting the ISA/IEC 62443 standards and the NIST Special Publication SP800-82, which will be revised this year. Though it might not seem so to the casual observer, there is and has been considerable cooperation and collaboration between many groups and committees working in this area."
Detailed information about what constitutes an effective cybersecurity management system for control systems is available via a combination of ISO/IEC 27001 and ISA-62443-2-1. "However, both of these are detailed standards documents, and may not be suitable for the purpose of getting general guidance," Cosman explains. Depending on staff available, it may be necessary to hire a consultant to help develop a comprehensive program. "Cosman would direct individual owner/operators to their automation system suppliers. With few exceptions, he says, all major suppliers have stepped up."
This article is a sidebar item in the 2013 Industrial Networking Q3 cover story "Identify the Network Threat."