ISAGCA Cybersecurity Advocate March 2021

The ISA Global Cybersecurity Alliance (ISAGCA), made up of 40 member companies, has established its priorities for the year ahead. The International Society of Automation created the ISA Global Cybersecurity Alliance to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The ISAGCA brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations together to proactively address growing threats.

The group’s 2021 priorities include:

Advocating the inclusion of the ISA/IEC 62443 series of cybersecurity standards in global policies that intend to improve critical infrastructure cybersecurity
Publishing a fully detailed, auditable cross-referencing guide that maps the ISA/IEC 62443 series of standards to other cybersecurity standards across multiple industries
Issuing comparison analysis reports that identify the implications of selecting and applying the ISA/IEC 62443 series of standards and help minimize the effort it takes to comply with cybersecurity standards and policies
Creating an insurance underwriters’ work group that will determine how to leverage ISA/IEC 62443 in creating and adjusting cybersecurity-related insurance policies
Publishing a two-part report that analyzes the use of ISA/IEC 62443 to secure IIoT reference architectures: Phase 1 (Securing IIoT devices and gateways) and Phase 2 (Securing cloud-based system-level functionality)
Formalizing recommended best practices to improve cyber incident response plans, in collaboration with the ICS4ICS public-private partnership tasked with creating an incident command system for industrial control systems
Making available a slate of new educational training, including an operations technology-focused course on basic cybersecurity hygiene for technicians and operators and microlearning modules about cybersecurity principles and the basics of the ISA/IEC 62443 series of standards

“The technologies that control and automate the world’s most critical operations, including the facilities where we work and live, are under constant threat and attack,” said ISAGCA Advisory Board Chair Megan Samford, Vice President and Chief Product Security Officer for Schneider Electric’s Energy Management business. “Given how important the ISA/IEC 62443 standard has become to limiting, mitigating, and even eliminating these threats, the projects and programs we have launched within the ISA Global Cybersecurity Alliance this year will deliver clarity, alignment, and education and further our collective ability to improve control and automation systems cybersecurity.”

The ANSI/ISA 62443 series of automation and control systems cybersecurity standards, which were developed primarily by ISA, have been adopted by the International Electrotechnical Commission as IEC 62443 and endorsed by the United Nations. The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. The standards approach the cybersecurity challenge holistically, bridging the gap between operations and information technology.

“Consistent, global adoption of the ISA/IEC 62443 series of standards will help vendors, third parties, end users—indeed the entire digital supply chain—effectively and proactively manage risks to their people, assets, and operations,” said ISAGCA Advisory Board Vice Chair Sharul Rashid, Custodian Engineer and Group Technical Authority of Instrumentation and Control at PETRONAS. “The march of digital technology and open process automation initiatives means global industry continues to advance at great pace. But in our haste to reap the benefits of digitalization, we must not lose sight of cybersecurity as a key piece of the productivity puzzle. Our priorities this year will help keep global focus on securing critical assets from harm.”

Recently, the ISA Global Cybersecurity Alliance released two helpful, free guides for public use:

Quick Start Guide: An Overview of the ISA/IEC 62443 Standards (www.isa.org/cyberguide): A user-friendly overview answering often-asked questions about ISA/IEC 62443 series of standards
Security Lifecycles in the ISA/IEC 62443 Series (www.isa.org/securitylifecycles): A whitepaper that provides a high-level view of the product security lifecycle and the automation solution security lifecycle, and defines IACS principal roles and responsibilities

ISAGCA is made up of 40 member companies, representing more than $240 billion in aggregate revenue across more than 2,400 combined worldwide locations. Automation and cybersecurity provider members serve 31 different industries, underscoring the broad applicability of the ISA/IEC 62443 series of standards.

For more information about ISAGCA, visit www.isa.org/isagca.

Word of mouth is spreading about ISAGCA and the ISA/IEC 62443 Series. Thank you for your continued support in this area!

12 March 2021
Strengthening the IT security posture in corporates and industrials
McKinsey & Company

March 2021
After Oldsmar: How vulnerable is US critical infrastructure?
TechTarget

23 February 2021
Florida Water Hack Shows Infrastructure Cyber Weakness
Business Insurance

3 February 2021
ISA Global Cybersecurity Alliance lists 2021 agenda, to focus on ISA/IEC 62443 standards
Industrial Cyber

November/December 2020
Cybersecurity standards hit their stride
InTech Magazine

We’ve collected a sampling of upcoming events related to ICS/OT/automation cybersecurity. At the time of writing this newsletter, all events are taking place online, but please check the event websites for the most up-to-date information.

Third Party and Supply Chain Cybersecurity Virtual Summit
14-15 April 2021

Black Hat Asia
4-7 May 2021

Cyber Security for Industrial Control Systems
5-6 May 2021

CS4CA World
6 May 2021

ISA IIoT & Smart Manufacturing Conference
11 May 2021
*Hosted by ISA

RSA Conference
17-20 May 2021

2021 Industrial Control Systems (ICS) Cyber Security Conference | Singapore/APAC
22-24 June 2021

Awareness & Outreach Work Group

The ISAGCA Awareness and Outreach Work Group aims to cultivate awareness and engagement around important cybersecurity issues with industry and stakeholders across all relevant sectors. The group also serves as the primary marketing and communications arm for ISAGCA’s objectives and accomplishments.

In Q1 2021, the Awareness & Outreach Group selected Padilla as ISAGCA’s agency of record. ISAGCA and Padilla will work together to address the following priorities in 2021:

Drive earned media placements: Manage interviews, pitch content, and place collateral
Work with ISAGCA members and ISA experts to drive awareness of ISAGCA strategic initiatives in three key areas: Securing the Supply Chain, The Importance of Standardization and the ISA/IEC 62443 Series, and The Role of Cybersecurity in Digital Transformation
ISAGCA will form three Thought Leadership Councils on these topics to serve as educators and spokespeople for media relations efforts

The Awareness & Outreach Work Group has also identified topics and dates for a series of multi-company webinars. The next step will be booking speakers. The topics and dates are as follows:

Assessing and Managing Cybersecurity Risk: Part 1 (May 20): This dynamic, interactive panel discussion will focus on the rapidly changing cybersecurity risks facing companies, including non-OT focused attacks. Speakers from the ISA Global Cybersecurity Alliance will use recent headlines and case studies to illustrate challenges that every asset owner should be monitoring, along with standards-based mitigation strategies. Global experts will share powerful, user-friendly technical advice that users can implement in the field, helping you to understand what you should be worried about vs. what you can be assured of in the complicated world of automation cybersecurity. At its most fundamental level this is what cybersecurity is all about – cyber-related risk identification and management. Everything we do in the cybersecurity space relates back to this statement. Helping users to understand the moving parts in assessing cyber-risk is the first step in any cybersecurity strategy.
Assessing and Managing Cybersecurity Risk: Part 2 (August 12): Managing cyber-risks is a constantly evolving topic, with a steady stream of new tools, new techniques, and new terminologies. Building on Part 1 in the series, this in-depth webinar will cover a practical, tested, proven methodology for managing risk in your operations based on the ISA/IEC 62443 series of standards. Expert speakers from the ISA Global Cybersecurity Alliance will cover critical topics, including the basics of cyber-risk management, and the logic of cybersecurity workflows and responsibilities. The team will share details about how to cascade risk, based on the 3-2 standard, which defines risk assessment and risk-related strategies for OT cybersecurity environments. We’ll translate these requirements into practical tips about how to have meaningful discussions about critical cybersecurity topics with your vendors and suppliers, how to organize your cybersecurity risk strategies in your organization, risk transference via cybersecurity insurance, and more.
Security Strategies: Detailed Pros and Cons to Different Approaches (November 11): This practical webinar features insights and experiences ISA Global Cybersecurity Alliance experts to help you understand and evaluate various cybersecurity approaches. The topics and real-world “million-dollar lessons” covered include:

§ Zero Trust Access, including challenges with implementing this strategy in OT settings, and how it can be done effectively to bring the biggest benefits to your security posture

§ Secure Remote Access, including examples of how COVID has forced employees, contractors, and vendors to operate remotely and the cybersecurity challenges that have resulted; we’ll look at the proper architectures to securely operate in a remote environment

§ Secure Data Sharing (for OT networks), showing how your shared data is being used to make critical decisions that impact operations and sharing basic guidelines and best practices for ensuring data authenticity, integrity, and privacy

§ Multiparty Access Management, including tips on how to effectively manage identities from multiple organizations, create policies around them, and enforce zero-trust granular access

§ Vulnerability Patch and Mitigation Management, including high level guidance for suppliers, end users, integrators, service providers, et. al., to resolve issues and challenges in updating OT devices

Other content development projects underway include three whitepapers addressing various aspects of the ISA/IEC 62443 series of standards and their applicability across industries.

Advocacy & Adoption Work Group

The ISAGCA Advocacy & Adoption Work Group plans to create a heat map showing government relations (GR) activities occurring globally (including at various levels of government), as well as competency efforts required by various countries and regions.

Other updates include:

New York GR team is working on draft legislation wording which will be shared with government stakeholders
-- Reviewed New Jersey cybersecurity legislation and are making updates to include 62443; will work with government representatives
Florida GR team has identified key stakeholders
-- Reviewing Florida cybersecurity legislation focused on government operations and making updates to include 62443
-- Lobbyist engaged legislative coordinator to let him know we will be proposing changes

Europe GR is focused on the EU, and has identified key stakeholders who can help promote changes to include 62443
--   Lobbyists are not typically used in the EU – members will lead EU advocacy without lobbyists
--   EU appear further along to adopting 62443
--   Currently working with some key (new) members in the EU to modify strategy to focus on monitoring their progress, by assigning a member for each EU group and providing resources to help them

APAC GR identified Malaysia and Singapore as initial focus, which likely will not include a lobbyist
-- Also interested staying aware of cybersecurity advocacy opportunities in: China (not initial focus), Japan, India, Vietnam, Sri Lanka, Australia, New Zealand

Training & Education Work Group

The ISAGCA Training & Education Work Group has named its new Member Champions. These T&E Champions will be guiding ISA/IEC 62443 training and workforce development activities for 2021. The first project has already launched – the micro-learning modules (overview below) will be coordinated with the ISAGCA Awareness & Outreach Work Group to ensure promotion.

Introducing the 2021 T&E Champions

Shane Stailey is a Senior Industrial Control Systems Cybersecurity Professional with three decades of success in learning, teaching, broadening, and applying information across multiple business streams with a spectrum of technical variety. Shane specializes in combining creative thinking, outside the box analysis, and practitioner level application to solve real world problems. As a 1st generation Master’s and Doctoral level educated professional he is well aware of the value that can come from merging ‘pure work’, ‘consistent learning’, and ‘determined perseverance’, despite life’s adversities, to reach professional and personal goals and accomplishments.

Sean McBride is an Industrial Cybersecurity Engineering Technology Coordinator/ Instructor. Within Idaho State University’s Energy Systems Technology Education Center (ESTEC), Sean McBride runs the nation’s only 2 year, hands-on degree to specialize in defending industrial facilities from cyber attacks and incidents. Sean joined ISU after leaving FireEye, where he developed the firm’s Industrial Control Systems (ICS) security business strategy. Sean’s professional accomplishments include pioneering work in threat and vulnerability intelligence, which evolved into the DHS ICS-CERT, and co-founding Critical Intelligence to focus on the unique intelligence needs of industrial entities. Over the past decade, Sean has written extensively for his customers, provided expert analysis for the popular press, and briefed the results of his work at leading professional conferences such as RSA and S4.

Glenn Merrell, CAP is a senior industry consultant applying extensive SME experience in Industrial Control Systems (ICS), automation, safety, Critical Infrastructure Protection (CIP), robotics. He is an ISA Certified Automation Professional with over 35 years of cross-sector multi-discipline expertise in industrial control systems, possessing a wide expertise base in real-time control systems including but not limited to electrical, instrumentation, process, manufacturing, machine and factory automation, Safety Instrumented Systems (SIS), industrial networks, SCADA, IACS Cyber Security and many others.

Glenn is an active standards committee member of many Critical Infrastructure Protection Sector professional groups, ISA5 (symbols & diagrams), ISA18 (signals and alarms), ISA84 (functional safety), ISA/IEC 99/62443 (industrial automation control systems security) and ISA101 (HMI); he also sits as an ICS Cyber Security professional and ICSJWG member on US Department of Homeland Security (DHS) US-CERT for Critical Infrastructure Partnership Advisory Council (CIPAC), Cross Sector, Workforce Development, Vendor, R&D and International workgroups.

Micro-Learning Modules (MLMs)

ISA Education is collaborating with a task group from the ISA99 WG10 Committee to create micro-learning modules (MLMs), short (5-10 minutes), on-demand education modules about ISA/IEC 62443 topics. The initial goal is to produce 12 modules targeted toward executives and management to increase awareness of cybersecurity risks and issues. Additionally, this team is also creating technical MLMs, of which 60-plus have been identified to date and are in various stages of development.

These modules can be arranged into Learning Maps to suggest a path through available materials tailored to a given audience. Currently, over a dozen Learning Maps have been drafted. The MLMs and Learning Maps have been integrated with an ISA tool (more to come) to track development and collect comments.

ISAGCA’s blog features a wealth of insights from industry thought leaders, many who work for our member companies. To receive updates in your inbox each week, subscribe to the ISAGCA blog today.

The Connection Between Cybersecurity and Safety

John Cusimano, aeSolutions

The funny thing about human nature is that we tend to assume things are going to work—until they don’t.

The recent power crisis in Texas is a good reminder of that. Everyone assumes the power system is going to work—until it doesn’t. Who would have thought that a few days of weather in the teens would nearly collapse the power system in the state of Texas for days? It’s a little reminiscent of the Fukushima nuclear incident about 10 years ago. Who would have thought that a once-in-a-lifetime tsunami would cause a meltdown of a nuclear reactor on the coast of Japan behind a 19-foot-high seawall? There are plenty more examples.

The same phenomenon occurs with security and cybersecurity breaches. It is human nature to assume that people will follow the law, respect boundaries, and not harm others—until they don’t. In a world run by computers, it doesn’t take a lot of creativity to imagine what could happen if these computers stopped working—or worse, if they were tampered with to a degree that you could not trust the integrity of the data.