Welcome to the latest edition of the Cybersecurity Advocate, the official newsletter of the ISA Global Cybersecurity Alliance (ISAGCA). This issue includes an announcement about our new advisory board leadership and updates from two of our work groups. As we look ahead to 2021, we wish you and yours a safe and healthy holiday season.
ISAGCA has appointed a chairperson—Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric—and vice chairperson—Sharul Rashid, Custodian Engineer and Group Technical Authority of Instrumentation and Control at PETRONAS—to its advisory board.
ISAGCA’s Advisory Board Chairperson Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric, is a security executive with focus on industrial control systems security, critical infrastructure protection, and risk analysis. In taking her role at Schneider Electric, Samford became the first female CPSO for a major industrial without first being a CISO, a significant milestone for women in industrial control systems security. She is currently leading a community driven effort under ISAGCA known as Incident Command System for Industrial Control Systems (ICS4ICS), which seeks to establish an operational incident response organization by Q1 2021. ICS4ICS includes a common language for responding to cyber incidents and provide avenues for mutual assistance between organizations.
“As the first Founding Member of the ISAGCA, Schneider Electric remains deeply committed to collaborating across industry to help our customers and all end users, regardless of segment and geography, secure and protect their people, assets and operations,” Samford said. “The ISA Standards Committee created the prevailing ISA/IEC 62443 series of standards by leveraging use cases from more than 20 different verticals. Our goal now is to build on that great work by expanding awareness, adoption, and application of the standard. I am excited to work with the diversity of ISAGCA membership to develop the programs and create the resources we need to meet our objectives. I am also excited to see community-identified needs and focused initiatives, like ICS4ICS, come to life through ISAGCA and its relationships with other non-profits and governments from around the world. Together, we will drive a standards-based, end-to-end approach—encompassing people, processes, and technology—to help safeguard global industry from sophisticated cyberattacks.”
The Advisory Board Vice Chairperson, Sharul Rashid, is Custodian Engineer and Group Technical Authority of Instrumentation and Control at PETRONAS, Malaysia's fully integrated oil and gas company. Sharul has more than 30 years of experience managing and leading teams and strategies covering a diverse range of instrumentation and control issues in refineries, gas liquefaction, petrochemicals, and gas pipeline transmission. PETRONAS, the world’s fourth-largest exporter of LNG, will intensify efforts towards reducing direct emissions from operations and the electricity used by the company and recently pledged to become a net zero emitter of greenhouse gases by 2050.
“I am honored to work with my colleagues around the world to advance critical cybersecurity initiatives,” Rashid said. “Together, we will work to increase awareness and expertise, developing best practice tools to help companies successfully navigate the lifecycle of cybersecurity protection.”
For more news about ISAGCA, visit www.isa.org/isagca.
Word of mouth is spreading about ISAGCA and the ISA/IEC 62443 Series. Thank you for your continued support in this area!
ISA and IEC Approve a Standard for Industrial Cybersecurity Risk Assessment
ARC Advisory Council
11 August 2020
CISO Conversations: Understanding ISA/IEC 62443
24 August 2020
ISA99 Holds Virtual Plenary Meetings
ARC Advisory Council
21 October 2020
ISA Global Cybersecurity Alliance Welcomes Eight New Members
19 November 2020
ISA Global Cybersecurity Alliance Appoints Advisory Board Leadership
20 November 2020
What Every SAM Needs to Know About Cybersecurity
Strategic Account Management Association Blog
30 November 2020
We’ve collected a sampling of upcoming events related to ICS/OT/automation cybersecurity. At the time of writing this newsletter, all events are taking place online, but please check the event websites for the most up-to-date information.
Cybersecurity for Critical Assets APAC Virtual Conference
27-28 January 2021
*ISAGCA Advisory Board Vice Chairperson Sharul Rashid is a featured speaker
Cybersecurity for Critical Assets MENA Virtual Conference
1-2 February 2021
ICS CyberSec 2021 – What Next?
11 February 2021
ISA Upstream Data Analytics Virtual Conference
22 February 2021
*Hosted by ISA
SANS ICS Security Virtual Summit & Training
4-13 March 2021
ISA Analysis Division Virtual Conference
23 March 2021
*Hosted by ISA
NextGen SCADA Global 2021
24-25 March 2021
Third Party and Supply Chain Cybersecurity Virtual Summit
14-15 April 2021
Awareness & Outreach Work Group
The ISAGCA Awareness and Outreach Work Group focuses on cultivating awareness and engagement around important cybersecurity issues with industry and stakeholders across all relevant sectors. The group also serves as primary marketing arm for the ISAGCA’s objectives and accomplishments, managing inbound inquiries and outbound communications, media and analyst relations, event participation, speaking opportunities, etc.
i. Voiceover audio presentation explaining Figures 6 and 13; would also include a downloadable PDF with those figures highlighted
ii. Series of PowerPoint slides based on Figure 13 for asset owners, integrators, and vendors to use in project scoping/planning discussions
3. Arm the legislative advocacy task team with content elements to support their efforts
i. Article/position paper summarizing key messages for legislatures in the U.S., Europe, and Asia Pacific
ii. Research on media outlets in critical states/countries
4. Position ISA/IEC 62443 as a horizontal standard to prevent separation and disparity globally
1. White paper – describe applicability, use examples of how different segments are using 62443
2. Infographic or “one-pager” introducing ISAGCA and mapping standards to other vertical standards that reference 62443
3. Update the building automation overlay and re-release
4. Lay out segment profile creation process and roadmap
5. IIoT project work: applicability of 62443 devices and systems
Training & Education Work Group
The mission of the ISAGCA Training & Education Work Group is to deliver specific cyber workforce development initiatives with consideration to all relevant job functions and industry sectors, and to develop & promote cyber training courses, web seminars, and education certificates, as applicable.
Accomplishments to Date
1. Outlined a project to drive the development of an internationally recognized classification and requirements structure for the global automation systems cybersecurity workforce by defining job roles based on alignment of the widely used ISA/IEC 62443 standards and the Automation Competency Model (ACM) for a reference to academics, professional training, and/or HR job roles (place in priority order).
2. Developed a whitepaper on the security lifecycles referencing automation roles.
3. Developed and provided operating technology (OT) input into the NIST Framework to expand beyond IT, hoping to be accepted and incorporated into their next version.
4. Developed and provided industrial internet systems course outline to an American University for their 2021 engineering undergrad program.
1. Support the development of online cyber training courses
1. Validate current work group in place and/or recruit training/education/HR representatives from ISAGCA member companies to provide specific input/perspective
2. Develop an ISA Global Education Advisory Council who will advise and counsel us on college, university, and community college needs, as applicable
ISAGCA’s blog features a wealth of insights from industry thought leaders, many who work for our member companies. To receive updates in your inbox each week, subscribe to the ISAGCA blog today.
Reassuring the Reshoring: A Cyber Risk Management Proposal
By Tom Finan, Willis Towers Watson
The reshoring of manufacturing to the U.S. and other advanced economies has been a slow but steady phenomenon for many years. A combination of government action spurred by COVID-19, changing economics, and increased automation promises to accelerate this trend. Wherever manufacturers locate, however, the sector is one with significant cyber risk for which most companies are unprepared. Reshoring presents the insurance industry with a unique opportunity to help.
Brokers, underwriters, and reinsurers should collaborate with manufacturers to develop cybersecurity best practices for reshorers. Companies that implement those best practices successfully should qualify for customized cyber insurance coverage tailored to their specific needs. This “test bed” approach would help create a virtuous cycle of cybersecurity improvement among this small but growing population of companies. Incorporating lessons learned, similar coverage eventually could be extended beyond reshorers to all organizations contending with cyber risk due to converging information technology (IT) and operational technology (OT) systems.
Structuring the ISA/IEC 62443 Standards
By Eric Cosman
Awareness of the ISA/IEC 62443 standards for industrial automation and control systems security has increased dramatically in recent years. Although these standards have existed for well over a decade, it has been the recent release of standards dealing with topics such as risk assessment, secure development lifecycles, and detailed component level security that has led to increased interest from a variety of industry sectors. Yet acceptance and adoption of these standards is still not where it should be.
Part of the reason for this is the amount of information included in the standards and their perceived complexity. In particular, asset owners find it daunting to fully understand the standards and are typically faced with the very real challenge of deciding how to begin to address what can be seen as a very complex and challenging topic. Awareness of what is available is certainly a good start, but it must be followed by understanding as a prerequisite to acceptance and adoption.
A Comprehensive Guide to Maritime Cybersecurity
Gartner Report: How to Develop a Security Vision and Strategy for Cyber-Physical Systems (complimentary access from PAS)
OT Cybersecurity Is Improving – Yet PAS Survey Reveals Faster Progress Is Needed to Address Growing Threats
PAS OptICS 2020 Content Now On-Demand – Strategies and Best Practices for OT Integrity
Defending Against Cyber Threats to BMS
Preventing Cyber Grid MIS-Operations
Zero Trust Remote Access for Industrial Operations
We’re building a roster of cybersecurity experts who are interested in sharing their knowledge at vendor-agnostic conferences and events around the world. We invite ISAGCA member companies to submit their experts to work with us as we deliver the latest, standards-based, unbiased information about cybersecurity.
Are you known for your thought leadership in the industry—or would you like to be? We hope you’ll consider the personal benefits of joining the ISAGCA Speakers’ Bureau in alignment with your own cybersecurity expertise.
To indicate your interest in the ISAGCA Speakers’ Bureau, click here to fill out our form.