December 2020

Welcome to the latest edition of the Cybersecurity Advocate, the official newsletter of the ISA Global Cybersecurity Alliance (ISAGCA). This issue includes an announcement about our new advisory board leadership and updates from two of our work groups. As we look ahead to 2021, we wish you and yours a safe and healthy holiday season.

ISAGCA Appoints Advisory Board Leadership

ISAGCA has appointed a chairperson—Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric—and vice chairperson—Sharul Rashid, Custodian Engineer and Group Technical Authority of Instrumentation and Control at PETRONAS—to its advisory board.

ISAGCA’s Advisory Board Chairperson Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric, is a security executive with focus on industrial control systems security, critical infrastructure protection, and risk analysis. In taking her role at Schneider Electric, Samford became the first female CPSO for a major industrial without first being a CISO, a significant milestone for women in industrial control systems security. She is currently leading a community driven effort under ISAGCA known as Incident Command System for Industrial Control Systems (ICS4ICS), which seeks to establish an operational incident response organization by Q1 2021. ICS4ICS includes a common language for responding to cyber incidents and provide avenues for mutual assistance between organizations.

“As the first Founding Member of the ISAGCA, Schneider Electric remains deeply committed to collaborating across industry to help our customers and all end users, regardless of segment and geography, secure and protect their people, assets and operations,” Samford said. “The ISA Standards Committee created the prevailing ISA/IEC 62443 series of standards by leveraging use cases from more than 20 different verticals. Our goal now is to build on that great work by expanding awareness, adoption, and application of the standard. I am excited to work with the diversity of ISAGCA membership to develop the programs and create the resources we need to meet our objectives. I am also excited to see community-identified needs and focused initiatives, like ICS4ICS, come to life through ISAGCA and its relationships with other non-profits and governments from around the world. Together, we will drive a standards-based, end-to-end approach—encompassing people, processes, and technology—to help safeguard global industry from sophisticated cyberattacks.”

The Advisory Board Vice Chairperson, Sharul Rashid, is Custodian Engineer and Group Technical Authority of Instrumentation and Control at PETRONAS, Malaysia's fully integrated oil and gas company. Sharul has more than 30 years of experience managing and leading teams and strategies covering a diverse range of instrumentation and control issues in refineries, gas liquefaction, petrochemicals, and gas pipeline transmission. PETRONAS, the world’s fourth-largest exporter of LNG, will intensify efforts towards reducing direct emissions from operations and the electricity used by the company and recently pledged to become a net zero emitter of greenhouse gases by 2050.

“I am honored to work with my colleagues around the world to advance critical cybersecurity initiatives,” Rashid said. “Together, we will work to increase awareness and expertise, developing best practice tools to help companies successfully navigate the lifecycle of cybersecurity protection.”

For more news about ISAGCA, visit www.isa.org/isagca

ISAGCA in the News

Word of mouth is spreading about ISAGCA and the ISA/IEC 62443 Series. Thank you for your continued support in this area!

ISA and IEC Approve a Standard for Industrial Cybersecurity Risk Assessment
ARC Advisory Council
11 August 2020

CISO Conversations: Understanding ISA/IEC 62443
Dark Reading
24 August 2020

ISA99 Holds Virtual Plenary Meetings
ARC Advisory Council
21 October 2020

ISA Global Cybersecurity Alliance Welcomes Eight New Members
Automation.com
19 November 2020

ISA Global Cybersecurity Alliance Appoints Advisory Board Leadership
Automation.com
20 November 2020

What Every SAM Needs to Know About Cybersecurity
Strategic Account Management Association Blog
30 November 2020

Upcoming Events

We’ve collected a sampling of upcoming events related to ICS/OT/automation cybersecurity. At the time of writing this newsletter, all events are taking place online, but please check the event websites for the most up-to-date information.

Cybersecurity for Critical Assets APAC Virtual Conference
27-28 January 2021
*ISAGCA Advisory Board Vice Chairperson Sharul Rashid is a featured speaker

Cybersecurity for Critical Assets MENA Virtual Conference
1-2 February 2021

ICS CyberSec 2021 – What Next?
11 February 2021

ISA Upstream Data Analytics Virtual Conference
22 February 2021
*Hosted by ISA

SANS ICS Security Virtual Summit & Training
4-13 March 2021

ISA Analysis Division Virtual Conference
23 March 2021
*Hosted by ISA

NextGen SCADA Global 2021
24-25 March 2021

Third Party and Supply Chain Cybersecurity Virtual Summit
14-15 April 2021

ISAGCA Work Group Updates – December 2020

Awareness & Outreach Work Group

The ISAGCA Awareness and Outreach Work Group focuses on cultivating awareness and engagement around important cybersecurity issues with industry and stakeholders across all relevant sectors. The group also serves as primary marketing arm for the ISAGCA’s objectives and accomplishments, managing inbound inquiries and outbound communications, media and analyst relations, event participation, speaking opportunities, etc.

Recent Accomplishments and Proposed Projects

1. Recent release and promotion of ISAGCA Guide to Security Lifecycles in the ISA/IEC 62443 Series

a.      Download the guide
b.      Press release announcement

2. Break down the ISAGCA Guide to Security Lifecycles into multiple content elements

a. Recent:
i. Executive summary repurposed as a blog post
ii. IACS Taxonomy Glossary

b. Proposed:
i. Voiceover audio presentation explaining Figures 6 and 13; would also include a downloadable PDF with those figures highlighted
ii. Series of PowerPoint slides based on Figure 13 for asset owners, integrators, and vendors to use in project scoping/planning discussions

3. Arm the legislative advocacy task team with content elements to support their efforts

a. Proposed:
i. Article/position paper summarizing key messages for legislatures in the U.S., Europe, and Asia Pacific
ii. Research on media outlets in critical states/countries

4. Position ISA/IEC 62443 as a horizontal standard to prevent separation and disparity globally

a. Proposed:
1. White paper – describe applicability, use examples of how different segments are using 62443
2. Infographic or “one-pager” introducing ISAGCA and mapping standards to other vertical standards that reference 62443
3. Update the building automation overlay and re-release
4. Lay out segment profile creation process and roadmap

5. IIoT project work: applicability of 62443 devices and systems



Training & Education Work Group

The mission of the ISAGCA Training & Education Work Group is to deliver specific cyber workforce development initiatives with consideration to all relevant job functions and industry sectors, and to develop & promote cyber training courses, web seminars, and education certificates, as applicable.

Accomplishments to Date 

1. Outlined a project to drive the development of an internationally recognized classification and requirements structure for the global automation systems cybersecurity workforce by defining job roles based on alignment of the widely used ISA/IEC 62443 standards and the Automation Competency Model (ACM) for a reference to academics, professional training, and/or HR job roles (place in priority order).
2. Developed a whitepaper on the security lifecycles referencing automation roles.
3. Developed and provided operating technology (OT) input into the NIST Framework to expand beyond IT, hoping to be accepted and incorporated into their next version.
4. Developed and provided industrial internet systems course outline to an American University for their 2021 engineering undergrad program.

For 2021

1. Support the development of online cyber training courses

Next Steps

1. Validate current work group in place and/or recruit training/education/HR representatives from ISAGCA member companies to provide specific input/perspective
2. Develop an ISA Global Education Advisory Council who will advise and counsel us on college, university, and community college needs, as applicable

Perspectives from the Blog

ISAGCA’s blog features a wealth of insights from industry thought leaders, many who work for our member companies. To receive updates in your inbox each week, subscribe to the ISAGCA blog today.


Reassuring the Reshoring: A Cyber Risk Management Proposal

By Tom Finan, Willis Towers Watson

The reshoring of manufacturing to the U.S. and other advanced economies has been a slow but steady phenomenon for many years. A combination of government action spurred by COVID-19, changing economics, and increased automation promises to accelerate this trend. Wherever manufacturers locate, however, the sector is one with significant cyber risk for which most companies are unprepared.  Reshoring presents the insurance industry with a unique opportunity to help.

Brokers, underwriters, and reinsurers should collaborate with manufacturers to develop cybersecurity best practices for reshorers. Companies that implement those best practices successfully should qualify for customized cyber insurance coverage tailored to their specific needs. This “test bed” approach would help create a virtuous cycle of cybersecurity improvement among this small but growing population of companies. Incorporating lessons learned, similar coverage eventually could be extended beyond reshorers to all organizations contending with cyber risk due to converging information technology (IT) and operational technology (OT) systems.

Read more on the ISAGCA blog.

 

Structuring the ISA/IEC 62443 Standards
By Eric Cosman 

Awareness of the ISA/IEC 62443 standards for industrial automation and control systems security has increased dramatically in recent years. Although these standards have existed for well over a decade, it has been the recent release of standards dealing with topics such as risk assessment, secure development lifecycles, and detailed component level security that has led to increased interest from a variety of industry sectors. Yet acceptance and adoption of these standards is still not where it should be.

Part of the reason for this is the amount of information included in the standards and their perceived complexity. In particular, asset owners find it daunting to fully understand the standards and are typically faced with the very real challenge of deciding how to begin to address what can be seen as a very complex and challenging topic. Awareness of what is available is certainly a good start, but it must be followed by understanding as a prerequisite to acceptance and adoption.

Read more on the ISAGCA blog.

Call for Submissions:
Join the ISAGCA Speaker’s Bureau

We’re building a roster of cybersecurity experts who are interested in sharing their knowledge at vendor-agnostic conferences and events around the world. We invite ISAGCA member companies to submit their experts to work with us as we deliver the latest, standards-based, unbiased information about cybersecurity.

Are you known for your thought leadership in the industry—or would you like to be? We hope you’ll consider the personal benefits of joining the ISAGCA Speakers’ Bureau in alignment with your own cybersecurity expertise.

Benefits

  • Personally raise awareness about critical cybersecurity issues
  • Elevate your profile in the industry and showcase your expertise on a global scale
  • Be recognized as a speaker before and after events in social and promotional channels
  • Engage conference audience and program committees, building your reputation as a conference speaker
  • Maximize your time investment on the speaking circuit, representing your organization as well as ISAGCA
  • Build new inroads into adjacent areas of expertise, opening opportunities for other speaking engagements, content features, and so on
  • ISAGCA staff are on hand to assist you with presentation materials, logistics, and communication with event representatives
  • Sign-up is simple, with flexible options

To indicate your interest in the ISAGCA Speakers’ Bureau, click here to fill out our form.

We Rely on Our Members 

Thank you for your support as we head into 2021.
Our members as of December 2020:

PAS
xage security
MOCANA
Wallix
Bayshore
Supporting Member - senhasegura
radiflow
exida
Munio Security
tripwire
INL - Idaho National Laboratory
Deloitte logo
TDI ConsoleWorks
Eaton
Idaho State University logo
UL logo
Petronas
Surge Engineering
KPMG