Monday 18 November 2013

Automation representative outlines cybersecurity policy before US high level body

ISA leader advocates two-part approach to industrial cybersecurity

Protecting industry and critical infrastructure from cyberattack requires the implementation of comprehensive industrial automation and control systems (IACS) cybersecurity standards as well as the use of IACS components that have been certified to conform to these standards, said Patrick Gouhin, Executive Director and CEO of the International Society of Automation (ISA), at a US government cybersecurity meeting held recently in Raleigh, North Carolina, USA.

In addition to having industry-consensus IACS cybersecurity standards in place, asset owners need to utilize IACS product suppliers and components that have been tested and certified to be cybersecure,” emphasised Gouhin, speaking at a workshop sponsored by the National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce.

The workshop, the fifth in a series, was conducted at the North Carolina State University and attracted more than 400 attendees. The gathering drew leading cybersecurity experts across America and the world—as well as other key stakeholders in industry, academia, and government—to weigh in on the merits of a national Cybersecurity Framework called for by US President Barack Obama.

The purpose of the workshop was to elicit further stakeholder input on the preliminary draft of the Cybersecurity Framework, consider any changes to the draft, and to discuss strategies for the plan’s implementation.

Among the topics covered at the workshop included:
  • Considerations for small- and medium-size businesses
  • How to use the framework
  • Voluntary critical infrastructure cybersecurity program
  • Research and development
  • Framework ecosystem development
  • Privacy and civil liberties
At NIST’s request, both ISA and its sister organization, the Automation Federation, have served as advisors to the US government in the development of the Cybersecurity Framework draft and have actively participated in all workshops. The Automation Federation, in fact, played a key role in organizing yesterday’s workshop.

Through the work of the ISA Committee on Security for Industrial Automation & Control Systems (ISA99), ISA has developed the ANSI/ISA99, Industrial Automation and Control Systems Security standards (known internationally as ISA/IEC 62443).

Developed by a cross-section of international cybersecurity subject-matter experts from industry, government and academia, the series of ISA/IEC 62443 standards apply to all key industry sectors and critical infrastructure, and, as a result, provide the flexibility to address and mitigate current and future vulnerabilities in IACS.

Director Gouhin warned that a cyberattack on industrial automation and control systems—commonly used in transportation grids, power plants, water treatment facilities, and other industrial settings—could have potentially devastating results that include:
  • endangerment of public or employee safety
  • environmental damage
  • erosion of public confidence
  • violation of regulatory requirements
  • loss of proprietary or confidential information
  • economic loss
  • weakened entity, local, state, or national security
“Implementing widespread cybersecurity standards is essential because many industrial production settings and infrastructure environments throughout the world are inadequately prepared for cyberwarfare,” he said. “The other piece is ensuring that industrial automation suppliers and supplier practices and products are cybersecure as well.”

The ISA Security Compliance Institute (ISCI), an affiliate of ISA, has developed a widely recognized compliance and testing program called ISASecure™ that ensures that industrial automation and control devices and equipment conform to the ISA/IEC 62443 cybersecurity standards.

“The combination of the ISA/IEC 62443 industrial automation and control systems standards and ISASecure certification provide a critical, two-fold layer of cybersecurity,” Gouhin asserts. “In addition to implementing vital IACS cybersecurity standards, asset owners would know that the IACS products and components they purchase are capable of defending against network attacks and are free from security vulnerabilities.”

No comments:

Post a Comment