A newly published standard in the series, ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels, addresses risks arising from the growing use of business information technology (IT) cyber security solutions to address IACS cyber security in complex and dangerous manufacturing and processing applications.
IACS security goals typically focus on control system availability, plant protection, plant operations, and time-critical system response. IT security goals, in contrast, often focus more on protecting information than physical assets. For this reason, use of IT cyber security solutions to address IACS security must be implemented knowledgably to prevent unintended vulnerabilities that could lead to potentially disastrous health, safety, environmental, financial, and/or reputational impacts in deployed control systems.
The new ISA99 standard addresses this concern with an approach to defining system requirements that is based on a combination of functional requirements and risk assessment, and an awareness of operational issues. The standard provides detailed technical control system requirements associated with seven foundational requirements described in the groundbreaking first ISA99 standard, ISA‑62443‑1‑1 (99.01.01), including defining the requirements for control system capability security levels. Those responsible for IACS cyber security will use these requirements in developing the appropriate control system target security levels for specific assets.
Eric Cosman, ISA99 Committee Chair |
The ISA99 committee drew on the input and knowledge of IACS security experts from across the globe in developing the standard. Unlike programs targeted at a single industry, ISA99 is applicable to all industry sectors and critical infrastructure in recognition of the interrelated nature of industrial computer networks in which cyber vulnerabilities exploited in one sector can impact multiple sectors and infrastructure.
“The new standard represents a collaborative effort of experts from multiple industries around the world,” stated the ISA99 task group leader for the project, Jeff Potter of Emerson Process Management. “Our intensive series of revise-and-review cycles has resulted in a rigorously reviewed standard reflecting the best current thinking in control systems security. Our joint work with IEC experts provides users with further assurance that this is a truly global standard that can be used to design, build, operate and regulate with full confidence in its longevity and cross-national applicability.”
ANSI/ISA-62443-3-3-2013 was approved as an American National Standard on 13 August 2013. An essentially identical version will be published by the IEC later this year as IEC 62443-3-3.
• Eric Cosman is also to chair the INDUSTRIAL NETWORK SECURITY TRACK at this years Automation Week in Nashville (TN, USA). This track will cover the security of operations and networks, specifically cyber security issues as they relate to industrial networks. The technologies, the business relevance, and the impact of network security issues and solutions, as well as the human aspects, will be discussed.
No comments:
Post a Comment