The International Society of Automation (ISA), in partnership with the ISA Security Compliance Institute (ISCI), recently launched a conformity-assessment scheme for automation systems deployed at operating sites, which they describe as “a long overdue addition to OT cybersecurity compliance.” Here we chat with Andre Ristaino, managing director of ISA Consortia and Conformity Assessment Programs, to learn about this new OT cybersecurity site-assessment scheme and its applications to a wide spectrum of automation and control systems. Take a look…
Smart Industry: What does this assessment scheme accomplish?
Andre: The assessment scheme completes the certification coverage of the shared responsibility by stakeholders for securing automation that affects our everyday lives. ISASecure already offers ISA/IEC 62443 certifications for commercial off-the-shelf automation products and systems offered by the vendors. The site assessment addresses the automation systems that are already installed at operating sites, updates to existing systems and new systems deployed at operating sites. All stakeholders benefit, including:
Asset owners: Will have visibility into their operating sites’ security posture for their existing automation systems; have an objective, consistent benchmark to determine their standing with their peers in their industry.
Insurance underwriters: Will benefit from assessments that provide objective ISA/IEC 62443 standards-based metrics for inclusion in their underwriting risk and actuarial models for industrial environments.
Product suppliers and service providers: Will gain clarity and transparency from the standards regarding their cybersecurity role in providing automation products, integration services, maintenance services, and operation-support services; provides structure to service level agreements (SLAs).
Certification and assessment organizations: Will benefit from increased demand in services due to the attractiveness of a global consensus OT-assessment scheme based on trusted international ISA/IEC 62443 standards.
Government, legislators and regulatory authorities: Will have an ISA/IEC 62443 standards-based cybersecurity metric that can be used as a reference in policy language for incentives and mandates for securing critical infrastructure.
Smart Industry: What most excites you about this news from ISA?
Andre: We have focused upon suppliers and products up to this point. This new assessment scheme will provide direct benefits to the asset owners (operating sites). We did a survey of adoption of the ISA/IEC 62443 standards and learned that the adoption rate for asset owners/operators significantly lagged the adoption rate of vendors. This is one of the ISA programs to make the ISA/IEC 62443 standards user-friendly and readily adoptable. We are in discussions with security-software vendors to create efficient assessment tools for the assessment specification. The same software tools can be used by the asset owners for institutionalizing the assessments in their internal quality programs for continuous improvement at operating sites.
The site-assessment program includes training and certification of assessors who will conduct the assessments and credentialing of the assessment companies.
Smart Industry: What industries do you foresee most benefiting from this assessment scheme?
Andre: Our starting point will be process manufacturing, such as O&G, chemicals, food & pharma. It will be readily adoptable by the water and wastewater sector.
While the site assessment can be adapted for the electric sector, that sector is already covered by the NERC-CIP standards for site operations. However, it could be applied to the smaller electric operators who are not regulated.
We have an agreement with another nonprofit to apply the same standards to smart buildings/smart cities, and have been working on the specifications for the past two years. That assessment will likely launch around the same time as the ISASecure manufacturing-site assessment. We plan to collaborate with additional industry sectors to develop derivative assessments that work for their stakeholders.
