FIND OUT MORE

NEWS from ISAGCA


15 September 2020
New ISA/IEC Standard Provides Auditable Approach to Assessing Cybersecurity Risk

RESEARCH TRIANGLE PARK, N.C. (15 September 2020)—The widely used ISA/IEC 62443 Industrial Automation and Control Systems (IACS) Security standards, developed primarily by the ISA99 standards development committee with simultaneous review and adoption by the International Electrotechnical Commission (IEC), provide a flexible framework to address and mitigate current and future IACS security vulnerabilities. The ISA99 committee draws on the input and knowledge of IACS security experts from across the globe to develop consensus standards that are applicable to all industry sectors and critical infrastructure.

A vital new standard in the series is based on the understanding that each organization that owns and operates an IACS has its own tolerance for risk—and that each IACS represents a unique risk depending on the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system, and the consequences if the system were to be compromised. The new standard, ISA/IEC 62443-3-2: Security Risk Assessment for System Design, defines a comprehensive set of engineering measures to guide organizations through the essential process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.  

The new standard can be effectively applied across all industry and critical infrastructure sectors that depend on secure IACS operations. Moreover, it provides much-needed guidance to all key stakeholder categories, including asset owners, system integrators, product suppliers, service providers, and compliance authorities.

“Currently, there is wide degree of variability in how industry defines and conducts IACS risk assessments,” says John Cusimano of aeSolutions, who led the ISA99 subgroup that wrote the standard. “ISA/IEC 62443-3-2 establishes fundamental requirements for an IACS risk assessment without being overly prescriptive. The result is a standard that will bring uniformity across industry while still allowing IACS owners and operators to apply any methodology that is compliant with the standard.”  

The new standard is the latest in a string of notable milestones in the ongoing development and growing global application of the ISA/IEC 62443 series. This included a decision by the United Nations Economic Commission for Europe to integrate the widely used standards into its Common Regulatory Framework on Cybersecurity, which serves as an official UN policy position statement for Europe. It also included completion of several key additional standards, including:

  • ISA/IEC 62443-4-1, Product Security Development Life-Cycle Requirements, which specifies process requirements for the secure development of products used in an IACS and defines a secure development lifecycle for developing and maintaining secure products.
  • ISA/IEC 62443-4-2, Technical Security Requirements for IACS Components, which provides the cybersecurity technical requirements for components that make up an IACS, specifically the embedded devices, network components, host components and software applications.

Other standards in the ISA/IEC 62443 series cover terminology, concepts, and models; establishing an IACS security program; patch management; and system security requirements and security levels. All may be accessed at www.isa.org/findstandards.

For more information on ISA99 and the ISA/IEC 62443 series of standards, contact Eliana Brazda, ISA Standards, at ebrazda@isa.org or +1-919-990-9200.


18 March 2020
New Guide to Cybersecurity Standards: ISAGCA Introduces an Overview of the ISA/IEC 62443 Series

Research Triangle Park, North Carolina USA (18 March 2020)—The International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance have released a new guide to the world’s only consensus-based automation cybersecurity standards.

“Quick Start Guide: An Overview of the ISA/IEC 62443 Series of Standards,” now available for download at isa.org/cyberguide, provides a high-level view of the objectives and benefits of these standards—as  well as easy-to-use explainers on how to navigate them. The guide explores how and why IT and OT/ICS need unique types of protection against cyber threats and offers the latest recommendations on patch management.

This new guide answers some of the most common questions about the ISA/IEC 62443 Standards, including:

  • Why is this series of standards important? What are the benefits of using the standards?
  • How are IT and ICS systems different?
  • Which documents are part of the series and how can I use them to find what I need?
  • Where can I find the current best practices around patch management?

The ISA Global Cybersecurity Alliance’s Advocacy and Adoption work group coordinated the development of the guide, which was authored by Johan Nye and reviewed by the ISA99 committee. Nye is an independent consultant specializing in industrial control systems and cybersecurity. During his career spanning more than 38 years, Nye has designed ICS system architectures, created company standards and policies, implemented major ICS projects, supported ICS site engineers, and contributed to the design of several ICS products.

“Automation cybersecurity standards are crucial in this increasingly connected world,” says Mary Ramsey, ISA executive director. “The ISA/IEC 62443 Series of Standards leads the way as the world’s only consensus-based standards that focus on automation cybersecurity. One goal of the ISA Global Cybersecurity Alliance is to raise awareness of these standards and encourage their adoption across a wide range of industries. We are grateful to the ISAGCA Advocacy and Adoption work group, the ISA99 committee, and Johan Nye for distilling these standards into a user-friendly format that can be shared widely.”

“Quick Start Guide: An Overview of the ISA/IEC 62443 Series of Standards” can be accessed by filling out a form at isa.org/cyberguide.

14 January 2020
ISA Global Cybersecurity Alliance Kicks Off 2020 with Priority Projects and Expanded Membership

ISA Global Cybersecurity Alliance continues its mission to advance the state of cybersecurity with new priority projects and an expanded membership of diverse thought leaders from around the world.  

RESEARCH TRIANGLE PARK, N.C. (PRWEB) January 14, 2020The ISA Global Cybersecurity Alliance begins the new year with several priority projects underway and an expanded group of companies and organizations as members.  

ISAGCA is organized into four general focus areas for cybersecurity including: Awareness & Outreach; Compliance & Prevention; Education & Training; and Advocacy & Adoption. These focus areas or working groups are comprised of subject matter experts from member companies, ISA staff, and outside experts who are collectively working on the following projects in 2020:

  • An easy-to-follow, condensed guide to implementing the ISA/IEC 62443 series of standards
  • A consolidated matrix that cross-references all cybersecurity-related standards to ISA/IEC 62443 principles
  • A roadmap for expanded cooperation with worldwide governments that are currently referencing the standards in their regulatory requirements or recommended practices 
  • A multi-dimensional reference guide mapping system lifecycle phases and stakeholder roles to specific automation cybersecurity knowledge, skills, and abilities needed to manage each phase
  • Publishing industry vertical overlays to the ISA/IEC 62443 standards for building automation, medical devices, and other sectors
  • A database of speakers with expertise and experience in automation cybersecurity and associated commitments for speaking opportunities at industry events 


In addition to identifying and starting work on these priority projects, the ISA Global Cybersecurity Alliance has more than tripled its founding members with the addition of 23 new companies and organizations to its membership. At the end of July, ISAGCA announced Schneider Electric, Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks as its initial founding members. Subsequently, as of the end of 2019, the following additional companies joined the ISAGCA as founding members:

  • aeSolutions
  • Bayshore Networks
  • Beijing Winicssec Technologies Co. Ltd. 
  • Digital Immunity 
  • Dragos 
  • exida 
  • ISA Security Compliance Institute 
  • ISA99 Committee 
  • Idaho National Laboratory 
  • LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) 
  • Mission Secure, Inc. 
  • Mocana Corporation 
  • Munio Security 
  • PAS Global 
  • Radiflow 
  • Senhasegura (supporting member) 
  • Tenable 
  • TiSafe 
  • Tripwire 
  • WisePlant 
  • Wallix Group 
  • Xage Security

End users, asset owners, government agencies and other cybersecurity-focused organizations are welcomed to join the ISA Global Cybersecurity Alliance. The current membership roster includes:

  • Idaho National Laboratory, the United States’ leading center for nuclear energy research and development 
  • the ISA Security Compliance Institute, which has been certifying automation products under the ISASecure® brand since 2010 via a global network of accredited certification bodies 
  • LOGIIC, an ongoing collaboration of oil and natural gas companies and the U.S. Department of Homeland Security that undertakes collaborative research and development projects to investigate and improve upon the level of cybersecurity in critical systems of interest to the oil and natural gas sector; 
  • and the ISA99 Committee, responsible for the expansion and advocacy of the ISA/IEC 62443 series of standards.

“Unifying and intensifying the work of experts around the world, regardless of affiliation, is a key part of ISAGCA’s mission. We believe that automation providers, cybersecurity vendors, asset owners, government agencies, research groups, and others involved in cybersecurity efforts are stronger together, collaborating to deliver solutions that meet the needs of industry today and tomorrow,” said ISA Executive Director Mary Ramsey. “We are proud to bring together a diverse group of thought leaders to advance the state of cybersecurity.”  

Notable members of the ISA Security Compliance Institute include Chevron, ExxonMobil, Honeywell, Schneider Electric, Yokogawa, exida, Control System Security Center, YPF, Japan Information Technology Promotion Agency, Royal Dutch Shell plc, TUV Rheinland, DNV GL, and TUV SUD. Current members of LOGIIC include BP, Chevron, ExxonMobil, Shell, Total, ConocoPhillips, and other large oil and gas companies that operate significant global energy infrastructure.  

To learn more about the ISA Global Cybersecurity Alliance, visit http://www.isa.org/isagca. For media inquiries or requests for interviews, contact ISA Marketing & Communications Director Jennifer Halsey at jhalsey@isa.org.

Contact Information Jennifer Halsey International Society of Automation (ISA) http://www.isa.org/isagca (919) 549-8411  

Online Web 2.0 Version You can read the online version of this press release here. 

25 July 2019 ISA Announces First Founding Members of Global Cybersecurity Alliance

Research Triangle Park, North Carolina USA (25 July 2019)—The International Society of Automation (ISA) announced today the first Founding Members of its new Global Cybersecurity Alliance (GCA): Schneider Electric, Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks.  

ISA created the Global Cybersecurity Alliance to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The Alliance brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations together to proactively address growing threats.  

ISA is the developer of the ANSI/ISA 62443 series of automation and control systems cybersecurity standards, which have been adopted by the International Electrotechnical Commission as IEC 62443 and endorsed by the United Nations. The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. The standards approach the cybersecurity challenge in a holistic way, bridging the gap between operations and information technology.  

Leveraging the ISA/IEC 62443 standards, the Global Cybersecurity Alliance will work to increase awareness and expertise, openly share knowledge and information, and develop best practice tools to help companies navigate the entire lifecycle of cybersecurity protection. The Alliance will work closely with government agencies, regulatory bodies, and stakeholder organizations around the world.  

"Accelerating and expanding globally relevant standards, certification, and education programs will increase workforce competence, and help end users identify gaps, reduce risks, and ensure they have the tools and systems they need to protect their facilities and installations," said Mary Ramsey, ISA Executive Director. "Through the proliferation of standards and compliance programs, we will strengthen our global cyber culture and transform the way industry identifies and manages cybersecurity threats and vulnerabilities to their operations."  

The first Founding Members of the Alliance are leading multi-national, industrial-technology providers with deep expertise in technology and applications, and they'll apply their experience and knowledge to accomplish the Alliance's priorities.  

"Participating in the Alliance truly shows the commitment our founding members have to the safety and security of the industrial ecosystem, as well as the criticality of collectively moving forward together to ensure the standards, best practices and methods are applied," Ramsey said.  

"ISA engaged with discussions, initiated by Schneider Electric, to create an ISA-led global, open and industry-wide alliance comprised of all cybersecurity stakeholder companies. ISA quickly expanded those conversations to include Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks. These first Founding Members have since worked together to help us define the Alliance's objectives. We are thankful for their collaboration and commitment. Together we welcome companies and organizations from all segments of industry to join our efforts."  

The Alliance is seeking additional members to support its initiatives. End-user companies, asset owners, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations are invited to join. Annual contributions to fund initiatives are based on company revenues and are tax-deductible. For more information about the Alliance, visit https://isaautomation.isa.org/cybersecurity-alliance/. Companies interested in joining the Alliance should contact Rick Zabel at rzabel@isa.org. Media and analyst inquiries should be directed to Jennifer Halsey at jhalsey@isa.org.  

Perspectives: Quotes from the ISA Global Cybersecurity Alliance Founding Members "Over the last few years, global industry has recognized that taking on increasingly dangerous cyber risks can't be limited to a single company, segment, or region. However, until now, there has been limited ability to respond as a unified whole to these worldwide threats. But by establishing an open, collaborative, and transparent body, with a focus on strengthening people, processes, and technology, we can drive true cultural change. We are pleased that ISA has stepped forward, and we look forward to working openly and collaboratively with them, our fellow Founding Members, and many others affiliated with global industry, especially end users. Together we will bring to bear the standards-based technology, expertise, and special skills required to better secure and protect the world's most critical operations and the people and communities we serve." --- Klaus Jaeckle, Chief Product Security Officer, Schneider Electric "Cybersecurity is critical to digital transformation. It's critical not only for the protection of information and intellectual property, but also for the protection of physical assets, the environment, and worker safety. We make it a priority to collaborate with partners and research institutions to develop secure products. Rockwell Automation participated in the development of the 62443 standards from the beginning and continues to support ISA cybersecurity initiatives. Our engagement with the Global Cybersecurity Alliance will be another important step in our efforts to help customers identify and mitigate risks." --- Blake Moret, CEO, Rockwell Automation "At Honeywell, we see cybersecurity as a core part of the future we are making, and we see the Global Cybersecurity Alliance as an important way to work together to make that happen. Cybersecurity is critical to the connected world we live in and the cornerstone of trust that the world needs to be able to operate. Whether protecting critical infrastructure or managing a building's operations, users need to do this with the confidence that the employed systems are robust and secure. We are committed to and proud to work together with ISA and the GCA members to continue to drive the adoption of the ISA/IEC 62443 series of standards and identify further ways to secure and protect the connected world. Honeywell has a robust history with ISA and is also founding member of the ISA Security Compliance Institute." --- Matthew Bohne, Vice President and Chief of Product Security, Honeywell Building Technologies "Digital transformation in the building sector continues to accelerate, which heightens the urgency for cybersecurity across the industry and beyond. As a leader in the industrial automation controls business, Johnson Controls is already a strategic member of the ISASecure program and is consistently taking proactive actions to protect customers against cyber-threats and risks. Joining ISA Global Cybersecurity Alliance is a necessary and meaningful step as it supports our company values, customer adoption of the ISA/IEC 62443 standard and efforts to educate global government and regulatory bodies. We are proud to solidify our commitment to this important effort." --- Jason Christman, Vice President, Chief Product Security Officer, Global Products, Johnson Controls "One of the most effective ways to drive consistency in an industry is by putting standards in place, and we're looking forward to collaborating with all of these founding members, as well as future Alliance members, to help drive global best-practices forward in this historically standard-less environment. Claroty is committed to the mission of protecting all IoT and OT networks from cyber risks. Through our work with the Global Cybersecurity Alliance, we will be able to help shape the future of cybersecurity in these high-risk industries." --- Dave Weinstein, Chief Security Officer, Claroty "Nozomi Networks believes real community collaboration, actionable standards and effective education are key ensuring a secure future for industrial organizations around the world. That's why we are helping develop secure-by-design standards as a working member of ISA99 standards committees, why we've designed our industrial cyber security solutions for easy integration across the broadest possible set of industrial and IT technologies; and why we are thrilled to help establish the Global Cybersecurity Alliance. Together we will build a secure future for the industrial infrastructure that runs the world." --- Andrea Carcano, Nozomi Networks Co-founder and Chief Product Officer

10 July 2019 New ISA Global Cybersecurity Alliance Accelerates Education, Readiness, and Knowledge Sharing

Research Triangle Park, North Carolina USA (10 July 2019) - The International Society of Automation (ISA), developer of ANSI/ISA 62443 series of automation and control systems cybersecurity standards (adopted by the International Electrotechnical Commission and endorsed by the United Nations), has created an open, collaborative forum to advance cybersecurity awareness, readiness, and knowledge sharing.  

The ISA Global Cybersecurity Alliance will bring together a global group of stakeholders from end-user companies, control system vendors, IT and OT infrastructure providers, system integrators, and others affiliated with global industry to benefit everyone, especially the communities in which we operate and serve.  

Industrial sectors, including manufacturing, commercial buildings, and critical infrastructure facilities, need to explore new ways to better prevent, mitigate, and respond to catastrophic threats and attacks on their safety- and mission-critical assets, operations, and applications.  

"Several leading automation and other technology providers have engaged ISA to explore how they can work with us to proactively increase awareness and adoption of cybersecurity best practices, standards, and compliance in all relevant sectors," said ISA Executive Director Mary Ramsey. "As an independent non-profit organization dedicated to improving operational excellence, ISA is uniquely able to fulfill the need for open, collaborative discussions and knowledge sharing."  

Among its defined objectives, the Global Cybersecurity Alliance will work to proliferate adoption of and compliance with global standards. The acceleration and expansion of standards will help address technology-related gaps and set best practices for managing processes within an open architecture. The Alliance will also develop certification and education programs for industry professionals; drive advocacy and thought leadership; and facilitate new levels of knowledge sharing among its members. Member companies will identify and prioritize initiatives, ensuring that the Alliance's approach is multi-faceted.  

"The ICS cybersecurity threat landscape is becoming more complex, with more direct attacks on control system, IT, and OT infrastructure. Frequently backed by hostile nation-states, malevolent actors are becoming more sophisticated at targeting specific aspects of industrial control systems that have the potential to wreak havoc in the physical world, such as process safety systems," said Larry O'Brien, Vice President of Research for ARC Advisory Group. "Standards and frameworks are valuable, but end users also need the resources to take the guidance provided by standards and put it into practice in real-world plant and OT environments. ARC applauds this effort to increase the security of industrial facilities."  

ISA will announce initial members of the Global Cybersecurity Alliance in the coming weeks, as the organization is currently in advanced conversations with several multi-national companies. Annual contributions to fund Alliance initiatives are based on company revenues and are tax-deductible. For more information, visit https://isaautomation.isa.org/cybersecurity-alliance/. End users, companies, and industry organizations interested in joining the Alliance should contact Rick Zabel at rzabel@isa.org. Media and analyst inquiries should be directed to Jennifer Halsey at jhalsey@isa.org.  


Founding Members  

PAS
xage security
MOCANA
Wallix
Bayshore
Supporting Member - senhasegura
radiflow
exida
Munio Security
Digital Immunity
tripwire
INL - Idaho National Laboratory
TDI ConsoleWorks
Eaton
KPMG
Surge Engineering
Petronas
UL logo

Join the Movement: Contact ISA to Learn More

Let’s talk about how your company or organization can join us—contact Rick Zabel at rzabel@isa.org or +1 919 990 9233. Press and media should contact ISA’s Director of Marketing and Communications, Jennifer Halsey, at jhalsey@isa.org or +1 919 990 9287.  

LEARN MORE!