Add to collection(s) Add to saved
  1. No category
Uploaded by david.fang

ISA99 Committee Letter: Cybersecurity Updates

advertisement 
ISA99 Committee on IACS Cybersecurity
Committee Letter
An update to our stakeholders
August 2022 (Revised)
ISA99 Stakeholders;
From time to time we have used this “open letter” format to reach out to committee members and
stakeholders, each of whom has their own level of interest and engagement in ISA99 committee activities.
As chairs of the committee, we have the responsibility to respond to your interests, answer your questions
and address any concerns that you may have.
Our purpose with this letter is to summarize the current situation and expected direction concerning
several important topics, address any possible misconceptions or misunderstandings that you – our
stakeholders – may have, and provide a means for raising any future questions or concerns.
Committee Updates
Our committee has been very active this year. In addition to developing specific parts of the ISA/IEC 62443
series, we have also been working on several initiatives aimed at facilitating committee operation and
improving the quality of the ISA/IEC 62443 standards.
Virtual plenary meetings
The ISA99 committee has well over a thousand members, but only a relatively small number of these are
actively involved in the development of the standards. Many members join simply to learn and be
informed of new and trending developments.
Earlier this year we conducted a series of virtual plenary meetings to help address this need. Topics
addressed include an overview of the ISA/IEC 62443 standards, committee organization and operation,
collaboration with IEC TC65 WG10, and new tools used for standards development. Recordings of these
sessions are available on the committee portal.
Use of Workbench
Frank Stieglitz is one of our more active members. He has developed a prototype tool called Workbench
that is used by several of our work groups to provide several essential functions. These include
maintenance of a master glossary and a list of normative requirements, collection and response to
comments on draft documents, and development of associated learning materials.
The ISA99 committee provides this document to all interested parties as a means of improving our communications and
outreach. All are encouraged to share this information widely.
Committee Letter
An update to our stakeholders (August 2022)
Page 2
We will continue to enhance this tool to meet the needs of our committee and its work groups. We are
also in discussions with ISA staff about the possibility of providing this as a standard tool.
Committee Operation
The day-to-day operation of the committee is directed by work group 5, which consists of chairs or the
other, more focused work groups. There are several specific areas of focus for this group, including:

Series Consistency – The documents in the ISA/IEC 62443 series have been developed by different
groups over more than a decade, resulting in certain gaps and inconsistencies. The consistency
group (WG5TG3) has proposed several improvements, including better definitions of key
concepts using detailed ontologies and a proposed new structure for the series. These changes
are beginning to appear in revised documents in the series (see below). This work continues and
further improvements are expected.

Work product editing – ISA99 has an editors task group (WG5TG1) that is responsible for the final
review and editing of all documents before they are circulated for review and comment.
Group Activities
The following paragraphs highlight the activities of some of the more active work and task groups.
Work Group 2 – 62443-2-1 (Security program requirements for IACS asset owners)
The first edition of this standard was published by ISA in 2009 and later adopted by IEC. Our understanding
of what constitutes an effective cybersecurity program has evolved considerably since then, and the
second edition of this document will reflect this understanding while clarifying the relationship to other
standards such as the ISO/IEC 2700x series. A final draft of this standard should be submitted for
committee vote later this year.
Work Group 3 – 62443-1-1 (Terminology, concepts, and models)
The first edition of this document was published by ISA in 2007 and later distributed as a technical
specification by IEC. Since then, our understanding of the subject has evolved considerably, as reflected
in the more detailed standards in the series. These changes have been incorporated into the second
edition of 62443-1-1 which was circulated for review late last year. We received over 2000 comments on
this draft and the workgroup hopes to have a second draft for comment by the end of 2022.
Work Group 6 – 62443-2-3 (Security update (patch) management)
This technical report was published by ISA in 2015 to address the requirements for an effective
automation system patch management program. A second edition is currently being prepared.
Work Group 9 – 62443-1-6 (Application to the Industrial Internet of Things)
This document describes considerations for asset owners when they are deciding on the implementation
of industrial internet of things (IIoT) within their assets and provides guidance on the requirements of the
ISA/IEC 62443 series to elucidate and mitigate any cybersecurity concerns. It will be circulated for review
and comment later this year.
Work Group 12 – 62443-1-3 (Performance metrics for IACS security)
This technical report (TR) defines a methodology for the development of quantitative metrics derived
from process and technical requirements defined in the ISA/IEC 62443 series. It has been circulated for
review and comment and further revisions are underway.
The ISA99 committee provides this document to all interested parties as a means of improving our communications and outreach. All are
encouraged to share this information widely.
Committee Letter
An update to our stakeholders (August 2022)
Page 3
Work Group 13 – 62443-1-3 (Awareness and Training)
This group has been very active in the development and delivery of a large set of awareness and training
materials related to the 62443 series in the form of micro-learning modules (MLM’s) and learning maps.
This effort is conducted in partnership with the ISA training department. To date the group has created
and issued six published MLM’S on the ISA Youtube channel focusing on topics most relevant to improving
the understanding of IT oriented people about industrial-engineering operations.
Work Group 14 – (62443 Security profiles for electric energy OT control systems)
This group was recently created to prioritize the development of multiple ISA/IEC 62443 Security profiles
for electric transmission and distribution applications. It includes members who have expertise in
substation operation, communication exchange, and/or OT cyber security.
Liaisons
Automation cybersecurity is a subject that has implications in many other areas. Our committee has
formed liaison relationships with many other groups (i.e., committees, consortia, etc.) that improve
understanding, acceptance, and adoption of proven and effective practices. We keep records of each such
liaison that define the proposed joint activities and expected benefits for each party. We expect that
additional liaisons may result as the ISA/IEC 62443 series of standards are applied in other industry
sectors.
Industry IoT Consortium (IIC)
We have an active liaison with the Industry IoT Consortium that includes projects of mutual interest. The
first of these was the creation of a paper that describes a set of mappings for asset owners, product
suppliers, and service providers. Specifically, it provides a way to relate the detailed guidance in 62443-21, 62443-3-3, and 62443-4-2 with practices and comprehensiveness levels described in the IIC Security
Maturity Model (SMM).
ISA Global Cybersecurity Alliance
We also have a liaison with the ISA Global Cybersecurity Alliance (ISA GCA). In this case, the principal goal
is to coordinate the promotion and advocacy-related activities of the ISA GCA with current work in our
committee.
IEC TC 65 WG 10
Perhaps the most important of our liaisons is the one with IEC TC 65 WG 10, which allows our standards
to be reviewed and eventually approved by a larger international audience, leading to their publication as
IEC standards. In the context of this liaison TC, 65 WG 10 is responsible for several parts of the series.

62443-1-5 (Scheme for cybersecurity profiles) – This document describes how to draft
cybersecurity profiles for the ISA/IEC 62443 series. ISA99 members have submitted comments on
the initial draft.

62443-2-4 (Security program requirements for IACS service providers) – This standard was
published by IEC in 2017 and later adopted by ISA. IEC TC 65 WG 10 is currently preparing a second
edition.
62443-6-1 (Security evaluation methodology for IEC 62443-2-4) – This document supports
service providers and evaluators to do a conformity assessment by evaluating the security
program against the requirements of IEC 62443-2-4 Ed. 1.1.

The ISA99 committee provides this document to all interested parties as a means of improving our communications and outreach. All are
encouraged to share this information widely.
Committee Letter
An update to our stakeholders (August 2022)

Page 4
62443-6-2 (Security evaluation methodology for IEC 62443-4-2) – This document specifies the
evaluation methodology to support interested parties (e.g., during conformity assessment
activities) to achieve repeatable and reproducible evaluation results for IACS components against
IEC 62443-4-2 requirements.
Application Across Sectors
You may have heard of proposals and some concerns about the use of the ISA/IEC 62443 series across a
broad range of sectors. This has led to the designation of ISA/IEC 62443 as “horizontal standards” by IEC.
This is entirely consistent with our direction for the series, going back to when the ISA99 committee was
chartered by the ISA Standards and Practices Department in 2002. The question of how to position the
standards within IEC has been posed much more recently, and will ultimately be determined by IEC, using
their processes. The leaders of the ISA99 committee support the “horizontal” designation and are
committed to supporting any sectors or industries wishing to apply or adopt ISA/IEC 62443.
The use of profiles was recently approved within the IEC to assist users in the interpretation and
application of the referenced standard(s). For further reference, the concept of profiles is covered within
the ISO/IEC Directives, Part 2, 2021, Clause 6.6. The committee also recognizes that such applications may
well require the creation of application guides or profiles to facilitate this adoption. The structure of the
ISA/IEC 62443 series will be extended to provide for the inclusion of approved profiles and any associated
compliance with those profiles. The process for obtaining such approvals will be the same as for other
documents in the ISA/IEC 62443 series, involving the review, commenting, and voting procedures of both
ISA and IEC. More details will be available as soon as they are available.
In Conclusion
We appreciate your interest in and support of the committee’s work and look forward to your feedback.
It is almost certain that we have forgotten some details here, or that we have not answered all the
comments, questions, or concerns that you may have. As always, you can post them to our LinkedIn group,
share them on the committee mailing list, or send them directly to us at isa99chair@gmail.com.
Eric C. Cosman, Jim Gilsinn (ISA99 Committee Co-Chairs)
Joe Weiss
(Managing Director ISA99)
Eliana Brazda
(ISA Staff)
The ISA99 committee provides this document to all interested parties as a means of improving our communications and outreach. All are
encouraged to share this information widely.
Related documents
Fort Hood Sentinel Advertisement.pub
Fort Hood Sentinel Advertisement.pub
ISA-IEC-62443 Cybersecurity Fundamentals Specialist Exam Questions
ISA-IEC-62443 Cybersecurity Fundamentals Specialist Exam Questions
AMA-61850-FiT4HANA
AMA-61850-FiT4HANA
Reported by (Name): James R Halama, PhD Organization:
Reported by (Name): James R Halama, PhD Organization:
Download
advertisement