April 2020

Welcome to the first newsletter of the ISA Global Cybersecurity Alliance! We plan to release a new issue each quarter to share news and updates about our work in automation cybersecurity. This inaugural issue includes information on our first work product⁠—a guide to the ISA/IEC 62443 Series of Standards, news about the current global pandemic and its impact on industry, and a helpful overview of the ISAGCA (in our FAQ section below).

A Note on COVID-19

In these uncertain times, we hope you are staying safe and healthy. The world is changing fast, and bad actors in cyberspace are changing along with it. Automation cybersecurity is more critical than ever beforethe world depends on our systems running correctly. Our work as a group contributes to our own resilience and the resilience of our global economies. Don't miss the first article in this issue, focused on our community's response.

Our Community is Our Best Defense
ISA Global Cybersecurity Alliance Reflects on the COVID-19 Crisis

In times of uncertainty, it’s human nature to retreat and protect yourself and your family; literally, to “shelter in place.” Our industries don’t have that luxury. Much like healthcare workers, manufacturers and utilities companies are essential personnel—and if we stop working, the lights go off, production halts, and consumers have a much larger problem than an empty toilet paper shelf.

Instead of retreating, our industries must come together and focus on what works. Utilize time-tested, proven approaches to challenges we’ve faced before. Leverage new technologies while keeping the fundamentals of safety and security as a top priority.

Standards are a powerful weapon in the face of uncertainty, especially now. Supply chain challenges, demand for real-time production shifts, an ever-expanding definition of hazardous environments, and new labor constraints are forcing many companies to accelerate digital transformation projects. Without standards and best practices to guide these transformations, we would be opening our industries to tremendous—and unprecedented—risk.

Read more on the ISA Global Cybersecurity Alliance blog.

ISAGCA Releases Comprehensive, Easy-to-Navigate Overview of the ISA/IEC 62443 Series of Standards

The ISA Global Cybersecurity Alliance’s Advocacy and Adoption work group has overseen the development of a brand new, user-friendly overview of the ISA/IEC 62443 series of standards. The guide answers often-asked questions about the standards, including:  

  • Why is the series of standards important? What are the benefits of using the standards?
  • How are IT and ICS systems different? 
  • Which documents are part of the series and how can I navigate them to find what I need? 
  • Where can I find the current recommendations around patch management?

  In addition to providing an overview of the objectives and benefits of the series, the guide also identifies specific standards documents that are applicable to various roles within the security environment, including asset owners, automation product suppliers, system integrators, and maintenance providers.  

The guide is available at no cost – simply visit www.isa.org/cyberguide to request your copy.  

ISAGCA’s Work Groups Are Developing Helpful Resources, and Recruiting Volunteers from Member Companies 

ISAGCA is organized into four work groups: Awareness & Outreach; Compliance & Prevention; Education & Training; and Advocacy & Adoption. Within each work group, subject matter experts from member companies, ISA staff, and invited external resources collectively engage to prioritize and execute projects that the group believes will help companies and industries around the world to better understand and promote cybersecurity awareness.  

The Awareness & Outreach Work Group focuses on cultivating awareness and engagement around important cybersecurity issues with industry and stakeholders across all relevant sectors. The group also serves as primary marketing arm for the ISAGCA’s objectives and accomplishments, managing inbound inquiries and outbound communications, media and analyst relations, event participation, speaking opportunities, etc. The group has created an ISAGCA Speakers’ Bureau to facilitate speaking engagements globally, and cybersecurity experts from member companies are encouraged to join by signing up with this form. The Awareness & Outreach group also manages the brand-new ISAGCA Blog -- Building a Resilient World: Practical Automation Cybersecurity – and the publication of this newsletter.  

The Compliance and Prevention Work Group is focused on expanding and developing compliance, prevention, and harmonization initiatives to leverage collective expertise and intelligence of member companies for the good of industry. The group is working on the development of a roadmap for expanded cooperation with worldwide governments that are currently referencing the standards in their regulatory requirements or recommended practices. During the ISAGCA’s first annual face-to-face member meeting in May, member companies will share their insights about regulatory environments around the world and identify priority legislation for increased focus and education. The group will also be working to develop and publish industry vertical overlays to the ISA/IEC 62443 standards for building automation, medical devices, and other sectors.  

The Advocacy and Adoption Work Group focuses on expanding and extending the adoption and use of cybersecurity standards worldwide, by creating and maintaining relationships with key stakeholder groups and agencies, organizing opportunities to work together with other organizations globally, and developing materials that help all relevant sectors better utilize standards and technical guidance. The group just released its first project – the Overview of the ISA/IEC 62443 Series of Standards, freely available for download at www.isa.org/cyberguide. Members within this work group will be working on two projects in the coming months: a consolidated matrix that cross-references all cybersecurity-related standards to ISA/IEC 62443 principles; and contributing to the work of the ISA99 committee to create an online toolkit to enhance user experience and understanding of the standards.  

The Training and Education Work Group identifies, scopes, plans, and executes specific workforce development initiatives with consideration to all relevant job functions and industry sectors. Potential projects include development and/or proliferation of training courses, web seminars, educational events, certificates or certification programs, etc. The group’s first project is a tutorial kit entitled “The Shared Responsibility of OT Cybersecurity” and explores specific roles and responsibilities of stakeholders involved in implementation projects. This multi-dimensional reference guide will map cybersecurity lifecycle phases to specific standards, along with the knowledge, skills, and abilities needed to manage each phase based on the stakeholder’s unique role throughout the process.

The ISAGCA welcomes experts from all member companies to join our work groups and participate with us. If you’d like to be included in one of the work groups, please contact Vernetta Eastman at veastman@isa.org.  

ISA Global Cybersecurity Alliance Partners with ISASecure and LOGIIC to Streamline Engagement for Leading Asset Owners

It’s often difficult for asset owners to participate in multiple industry groups or consortia efforts, especially if there are multiple options for engaging on a specific topic. There’s no shortage of organizations working on automation cybersecurity, and many asset owners are challenged to find the time and expertise to participate meaningfully in multiple initiatives. That’s why the ISA Global Cybersecurity Alliance has welcomed ISASecure and LOGIIC into its member company ranks, even though both entities are organizations with multiple users and vendors. With the addition of these two organizations into the ISAGCA member ranks, each will be able to provide liaisons to work groups and ensure continuity and consistency across the landscape of cybersecurity efforts. ISASecure’s mission is to decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders. The ISASecure program ensures that industrial automation control products conform to industry consensus cyber security standards, providing confidence to users and creating product differentiation for suppliers. Members of ISASecure build and enhance industry standards compliance programs, education, technical support, and improvements in suppliers’ development processes and users’ life cycle management practices. Notable members of the ISA Security Compliance Institute include Chevron, ExxonMobil, Honeywell, Johnson Controls, Schneider Electric, Yokogawa, exida, Control System Security Center, YPF, Japan Information Technology Promotion Agency, Royal Dutch Shell plc, TUV Rheinland, DNV GL, TUV SUD, and WisePlant HQ. The LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program is an ongoing collaboration of oil and natural gas companies and the U.S. Department of Homeland Security, Science and Technology Directorate. LOGIIC undertakes collaborative research and development projects to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector. The objective is to promote the interests of the sector while maintaining impartiality, the independence of the participants, and vendor neutrality. Current members of LOGIIC include BP, Chevron, ExxonMobil, Shell, Total, ConocoPhillips, and other large oil and gas companies that operate significant global energy infrastructure.  

FAQ: Frequently Asked Questions about the ISA Global Cybersecurity Alliance

What is the purpose of the ISAGCA?  

The purpose of the ISAGCA is to help companies and communities stay ahead of the threat curve. We want to foster a sustainable, secure environment for all industry segments to thrive and grow.  

ISA believes that industry needs an open, inclusive, collaborative body that can drive cultural change. We see the cybersecurity challenge as three-pronged: we need to effectively train and validate the skills of our people; we need to comprehensively and consistently apply standards to protect our processes; and we need to leverage compliance programs to ensure the development of secure technology.  

What are the primary drivers of the industrial cybersecurity problem? What’s making this so complicated and difficult to address?  

The factors that are triggering increases in threats and vulnerabilities are the same factors that we depend on to bring increased efficiency, connectivity, and reliability. These factors include:  

  • IIoT and digital transformation
  • OT/IT convergence 
  • Legacy systems 
  • Multi-vendor environments 
  • Skill gaps and contract workforces

What kinds of organizations can join the ISAGCA?  

The ISA Global Cybersecurity Alliance welcomes end users, asset owners, automation and control systems vendors, cybersecurity technology vendors, IT infrastructure providers, system integrators, industry organizations, government agencies, insurance companies, and other stakeholders.  

Members who join the alliance will specify the needs of the industries they represent and ultimately shape the solutions we provide. ISA brings the raw material – the standards themselves, for instance, and the companies who join the Alliance bring the contextual use cases to help us create new resources and materials to help people apply the standards in the most effective and useful ways. Members of the Alliance will also have a chance to leverage the talent inside of their companies to share and build solutions with their peers, inspiring a cyber-aware culture within their companies that will serve them well for decades to come. It’s critical that all employees, at all levels, are engaged in the cyber discussion, and our member companies will have unique and fulfilling ways to make that happen.  

How will end users/customers benefit from the existence of the ISA Global Cybersecurity Alliance?  

Accelerating and expanding standards, certification, and education programs will increase workforce competence. These initiatives help end users identify gaps, reduce risks, and ensure they have the tools and systems they need to protect their facilities and installations.  

What makes the ISAGCA different from other groups?  

ISAGCA differs from other bodies because it is truly open to all organizations engaged in industrial cybersecurity – we welcome end users, other suppliers, government agencies from around the world, and other groups to join us. The ISAGCA is practical and tactical. ISA has published the 62443 standards that tell us the “what” for securing technology. ISAGCA is developing the training, tools and know-how to bridge the gap between the standards and implementation of the standards (the “how”).  

How do we make sure that this international and not only U.S.-driven?  

An important objective of the ISA Global Cybersecurity Alliance is to extend the ISA/IEC 62443 series of standards and work with global governments and agencies to harmonize our approach to industrial cybersecurity. We intend to work with regional standards groups to increase reliance on ISA/IEC 62443 and where necessary, align individual standards with the guidance in ISA/IEC 62443.

We Are Everywhere!
ISAGCA is made up of 31 member companies, representing more than $110 billion in aggregate revenue across more than 2,000 combined worldwide locations. Our automation and cybersecurity provider members serve 29 different industries, providing automation and cybersecurity expertise to asset owners around the world. 
 

ISAGCA News Highlights

ISAGCA is already seeing traction in the media, often in concert with our member companies. Thank you for your help spreading the word! Here are a few of the recent appearances we’re celebrating.

We Rely on Our Members 

Our members as of April 2020:

PAS
xage security
MOCANA
Wallix
Bayshore
Supporting Member - senhasegura
radiflow
exida
Munio Security
tripwire
INL - Idaho National Laboratory