March 2021
Welcome to the latest edition of the Cybersecurity Advocate, the official newsletter of the ISA Global Cybersecurity Alliance (ISAGCA). This issue includes an announcement about our new priorities for 2021 and updates from three of our work groups.
The ISA Global Cybersecurity Alliance (ISAGCA), made up of 40 member companies, has established its priorities for the year ahead. The International Society of Automation created the ISA Global Cybersecurity Alliance to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The ISAGCA brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations together to proactively address growing threats.
The group’s 2021 priorities include:
“The technologies that control and automate the world’s most critical operations, including the facilities where we work and live, are under constant threat and attack,” said ISAGCA Advisory Board Chair Megan Samford, Vice President and Chief Product Security Officer for Schneider Electric’s Energy Management business. “Given how important the ISA/IEC 62443 standard has become to limiting, mitigating, and even eliminating these threats, the projects and programs we have launched within the ISA Global Cybersecurity Alliance this year will deliver clarity, alignment, and education and further our collective ability to improve control and automation systems cybersecurity.”
The ANSI/ISA 62443 series of automation and control systems cybersecurity standards, which were developed primarily by ISA, have been adopted by the International Electrotechnical Commission as IEC 62443 and endorsed by the United Nations. The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. The standards approach the cybersecurity challenge holistically, bridging the gap between operations and information technology.
“Consistent, global adoption of the ISA/IEC 62443 series of standards will help vendors, third parties, end users—indeed the entire digital supply chain—effectively and proactively manage risks to their people, assets, and operations,” said ISAGCA Advisory Board Vice Chair Sharul Rashid, Custodian Engineer and Group Technical Authority of Instrumentation and Control at PETRONAS. “The march of digital technology and open process automation initiatives means global industry continues to advance at great pace. But in our haste to reap the benefits of digitalization, we must not lose sight of cybersecurity as a key piece of the productivity puzzle. Our priorities this year will help keep global focus on securing critical assets from harm.”
Recently, the ISA Global Cybersecurity Alliance released two helpful, free guides for public use:
ISAGCA is made up of 40 member companies, representing more than $240 billion in aggregate revenue across more than 2,400 combined worldwide locations. Automation and cybersecurity provider members serve 31 different industries, underscoring the broad applicability of the ISA/IEC 62443 series of standards.
For more information about ISAGCA, visit www.isa.org/isagca.
Word of mouth is spreading about ISAGCA and the ISA/IEC 62443 Series. Thank you for your continued support in this area!
12 March 2021
Strengthening the IT security posture in corporates and industrials
McKinsey & Company
March 2021
After Oldsmar: How vulnerable is US critical infrastructure?
TechTarget
23 February 2021
Florida Water Hack Shows Infrastructure Cyber Weakness
Business Insurance
3 February 2021
ISA Global Cybersecurity Alliance lists 2021 agenda, to focus on ISA/IEC 62443 standards
Industrial Cyber
November/December 2020
Cybersecurity standards hit their stride
InTech Magazine
We’ve collected a sampling of upcoming events related to ICS/OT/automation cybersecurity. At the time of writing this newsletter, all events are taking place online, but please check the event websites for the most up-to-date information.
Third Party and Supply Chain Cybersecurity Virtual Summit
14-15 April 2021
Black Hat Asia
4-7 May 2021
Cyber Security for Industrial Control Systems
5-6 May 2021
CS4CA World
6 May 2021
ISA IIoT & Smart Manufacturing Conference
11 May 2021
*Hosted by ISA
RSA Conference
17-20 May 2021
2021 Industrial Control Systems (ICS) Cyber Security Conference | Singapore/APAC
22-24 June 2021
Awareness & Outreach Work Group
The ISAGCA Awareness and Outreach Work Group aims to cultivate awareness and engagement around important cybersecurity issues with industry and stakeholders across all relevant sectors. The group also serves as the primary marketing and communications arm for ISAGCA’s objectives and accomplishments.
In Q1 2021, the Awareness & Outreach Group selected Padilla as ISAGCA’s agency of record. ISAGCA and Padilla will work together to address the following priorities in 2021:
The Awareness & Outreach Work Group has also identified topics and dates for a series of multi-company webinars. The next step will be booking speakers. The topics and dates are as follows:
§ Zero Trust Access, including challenges with implementing this strategy in OT settings, and how it can be done effectively to bring the biggest benefits to your security posture
§ Secure Remote Access, including examples of how COVID has forced employees, contractors, and vendors to operate remotely and the cybersecurity challenges that have resulted; we’ll look at the proper architectures to securely operate in a remote environment
§ Secure Data Sharing (for OT networks), showing how your shared data is being used to make critical decisions that impact operations and sharing basic guidelines and best practices for ensuring data authenticity, integrity, and privacy
§ Multiparty Access Management, including tips on how to effectively manage identities from multiple organizations, create policies around them, and enforce zero-trust granular access
§ Vulnerability Patch and Mitigation Management, including high level guidance for suppliers, end users, integrators, service providers, et. al., to resolve issues and challenges in updating OT devices
Other content development projects underway include three whitepapers addressing various aspects of the ISA/IEC 62443 series of standards and their applicability across industries.
Advocacy & Adoption Work Group
The ISAGCA Advocacy & Adoption Work Group plans to create a heat map showing government relations (GR) activities occurring globally (including at various levels of government), as well as competency efforts required by various countries and regions.
Other updates include:
Training & Education Work Group
The ISAGCA Training & Education Work Group has named its new Member Champions. These T&E Champions will be guiding ISA/IEC 62443 training and workforce development activities for 2021. The first project has already launched – the micro-learning modules (overview below) will be coordinated with the ISAGCA Awareness & Outreach Work Group to ensure promotion.
Introducing the 2021 T&E Champions
Shane Stailey is a Senior Industrial Control Systems Cybersecurity Professional with three decades of success in learning, teaching, broadening, and applying information across multiple business streams with a spectrum of technical variety. Shane specializes in combining creative thinking, outside the box analysis, and practitioner level application to solve real world problems. As a 1st generation Master’s and Doctoral level educated professional he is well aware of the value that can come from merging ‘pure work’, ‘consistent learning’, and ‘determined perseverance’, despite life’s adversities, to reach professional and personal goals and accomplishments.
Sean McBride is an Industrial Cybersecurity Engineering Technology Coordinator/ Instructor. Within Idaho State University’s Energy Systems Technology Education Center (ESTEC), Sean McBride runs the nation’s only 2 year, hands-on degree to specialize in defending industrial facilities from cyber attacks and incidents. Sean joined ISU after leaving FireEye, where he developed the firm’s Industrial Control Systems (ICS) security business strategy. Sean’s professional accomplishments include pioneering work in threat and vulnerability intelligence, which evolved into the DHS ICS-CERT, and co-founding Critical Intelligence to focus on the unique intelligence needs of industrial entities. Over the past decade, Sean has written extensively for his customers, provided expert analysis for the popular press, and briefed the results of his work at leading professional conferences such as RSA and S4.
Glenn Merrell, CAP is a senior industry consultant applying extensive SME experience in Industrial Control Systems (ICS), automation, safety, Critical Infrastructure Protection (CIP), robotics. He is an ISA Certified Automation Professional with over 35 years of cross-sector multi-discipline expertise in industrial control systems, possessing a wide expertise base in real-time control systems including but not limited to electrical, instrumentation, process, manufacturing, machine and factory automation, Safety Instrumented Systems (SIS), industrial networks, SCADA, IACS Cyber Security and many others.
Glenn is an active standards committee member of many Critical Infrastructure Protection Sector professional groups, ISA5 (symbols & diagrams), ISA18 (signals and alarms), ISA84 (functional safety), ISA/IEC 99/62443 (industrial automation control systems security) and ISA101 (HMI); he also sits as an ICS Cyber Security professional and ICSJWG member on US Department of Homeland Security (DHS) US-CERT for Critical Infrastructure Partnership Advisory Council (CIPAC), Cross Sector, Workforce Development, Vendor, R&D and International workgroups.
Micro-Learning Modules (MLMs)
ISA Education is collaborating with a task group from the ISA99 WG10 Committee to create micro-learning modules (MLMs), short (5-10 minutes), on-demand education modules about ISA/IEC 62443 topics. The initial goal is to produce 12 modules targeted toward executives and management to increase awareness of cybersecurity risks and issues. Additionally, this team is also creating technical MLMs, of which 60-plus have been identified to date and are in various stages of development.
These modules can be arranged into Learning Maps to suggest a path through available materials tailored to a given audience. Currently, over a dozen Learning Maps have been drafted. The MLMs and Learning Maps have been integrated with an ISA tool (more to come) to track development and collect comments.
ISAGCA’s blog features a wealth of insights from industry thought leaders, many who work for our member companies. To receive updates in your inbox each week, subscribe to the ISAGCA blog today.
The Connection Between Cybersecurity and Safety
John Cusimano, aeSolutions
The funny thing about human nature is that we tend to assume things are going to work—until they don’t.
The recent power crisis in Texas is a good reminder of that. Everyone assumes the power system is going to work—until it doesn’t. Who would have thought that a few days of weather in the teens would nearly collapse the power system in the state of Texas for days? It’s a little reminiscent of the Fukushima nuclear incident about 10 years ago. Who would have thought that a once-in-a-lifetime tsunami would cause a meltdown of a nuclear reactor on the coast of Japan behind a 19-foot-high seawall? There are plenty more examples.
The same phenomenon occurs with security and cybersecurity breaches. It is human nature to assume that people will follow the law, respect boundaries, and not harm others—until they don’t. In a world run by computers, it doesn’t take a lot of creativity to imagine what could happen if these computers stopped working—or worse, if they were tampered with to a degree that you could not trust the integrity of the data.
Cybersecurity Risk Assessment According to ISA/IEC 62443-3-2
Patrick O’Brien, exida
As cybersecurity for industrial automation continues to evolve, it becomes increasingly important to fundamentally understand, evaluate, and manage cybersecurity risks. Recent attacks such as the one on the Oldsmar Water Treatment Facility further emphasize the need for cybersecurity risk management and demonstrate how cyber incidents have the potential to cause not just financial, but also significant safety and environmental consequences.
The objective of effective cybersecurity management should be to maintain the industrial automation system consistently with corporate risk criteria. In many organizations, ownership for industrial automation cybersecurity concerns falls to controls engineers or similar positions that may have limited time available to focus on security concerns, making it essential that cybersecurity risk is managed in a manner that is both time-efficient and effective.
1898 & Co.
Protection, Detection, and Response Form Cornerstones of Cybersecurity
Houston Business Journal People on the Move: Marco (Marc) Ayala
Alert Calls for Action to Secure Critical Infrastructure OT Systems
Increase Confidence with Cybersecurity Commissioning
National Maritime Cybersecurity Plan Bolsters Security Risk Management
Dragos
2020 ICS Cybersecurity Year in Review
Dragos Asset Visibility Whitepaper
Asset Visibility Webinar: Hiding in Plain Sight
Webinar: Solidifying Asset Visibility in Your Environment
Schneider Electric
Is Cybersecurity the Key to Your Business Recovery?
Tenable
Secure Industrial Control Systems with Configuration Control
We’re building a roster of cybersecurity experts who are interested in sharing their knowledge at vendor-agnostic conferences and events around the world. We invite ISAGCA member companies to submit their experts to work with us as we deliver the latest, standards-based, unbiased information about cybersecurity.
Are you known for your thought leadership in the industry—or would you like to be? We hope you’ll consider the personal benefits of joining the ISAGCA Speakers’ Bureau in alignment with your own cybersecurity expertise.
Benefits
To indicate your interest in the ISAGCA Speakers’ Bureau, click here to fill out our form.