ISA Executive Director and CEO Patrick Gouhin presents at US government Cybersecurity Framework workshop
at US government Cybersecurity Framework workshop
ISA leader advocates two-part approach to industrial cybersecurity
Research Triangle Park, North Carolina, USA (15 November 2013) – Protecting industry and critical infrastructure from cyberattack requires the implementation of comprehensive industrial automation and control systems (IACS) cybersecurity standards as well as the use of IACS components that have been certified to conform to these standards, said Patrick Gouhin, Executive Director and CEO of the International Society of Automation (ISA), at a US government cybersecurity meeting held earlier today in Raleigh, North Carolina, USA.
“In addition to having industry-consensus IACS cybersecurity standards in place, asset owners need to utilize IACS product suppliers and components that have been tested and certified to be cybersecure,” emphasized Gouhin, speaking at a workshop sponsored by the National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce.
The workshop, the fifth in a series, was conducted at the Hunt Library on the Centennial Campus of North Carolina State University and attracted more than 400 attendees. The gathering drew leading cybersecurity experts across America and the world—as well as other key stakeholders in industry, academia, and government—to weigh in on the merits of a national Cybersecurity Framework called for by US President Barack Obama.
The purpose of the workshop was to elicit further stakeholder input on the preliminary draft of the Cybersecurity Framework, consider any changes to the draft, and to discuss strategies for the plan’s implementation.
Among the topics covered at the workshop included:
- Considerations for small- and medium-size businesses
- How to use the framework
- Voluntary critical infrastructure cybersecurity program
- Research and development
- Framework ecosystem development
- Privacy and civil liberties
At NIST’s request, both ISA and its sister organization, the Automation Federation, have served as advisors to the US government in the development of the Cybersecurity Framework draft and have actively participated in all workshops. The Automation Federation, in fact, played a key role in organizing yesterday’s workshop.
Through the work of the ISA Committee on Security for Industrial Automation & Control Systems (ISA99), ISA has developed the ANSI/ISA99, Industrial Automation and Control Systems Security standards (known internationally as ISA/IEC 62443).
Developed by a cross-section of international cybersecurity subject-matter experts from industry, government and academia, the series of ISA/IEC 62443 standards apply to all key industry sectors and critical infrastructure, and, as a result, provide the flexibility to address and mitigate current and future vulnerabilities in IACS.
Gouhin today warned that a cyberattack on industrial automation and control systems—commonly used in transportation grids, power plants, water treatment facilities, and other industrial settings—could have potentially devastating results that include:
- endangerment of public or employee safety
- environmental damage
- erosion of public confidence
- violation of regulatory requirements
- loss of proprietary or confidential information
- economic loss
- weakened entity, local, state, or national security
“Implementing widespread cybersecurity standards is essential because many industrial production settings and infrastructure environments throughout the world are inadequately prepared for cyberwarfare,” Gouhin said. “The other piece is ensuring that industrial automation suppliers and supplier practices and products are cybersecure as well.”
The ISA Security Compliance Institute (ISCI), an affiliate of ISA, has developed a widely recognized compliance and testing program called ISASecure™ that ensures that industrial automation and control devices and equipment conform to the ISA/IEC 62443 cybersecurity standards.
“The combination of the ISA/IEC 62443 industrial automation and control systems standards and ISASecure certification provide a critical, two-fold layer of cybersecurity,” Gouhin asserts. “In addition to implementing vital IACS cybersecurity standards, asset owners would know that the IACS products and components they purchase are capable of defending against network attacks and are free from security vulnerabilities.”
For more information about the ISA/IEC 62443 IACS cybersecurity standards, contact:
- Eric Cosman, ISA99 Committee Co-Chair at eric.cosman@gmail.com
- Jim Gilsinn, ISA99 Committee Co-Chair at jimgilsinn@gmail.com
- Charley Robinson, ISA staff, at crobinson@isa.org
For general inquiries about ISA/IEC 62443 cybersecurity standards, send an email to isa99chair@gmail.com.
For more information about ISCI and the ISASecure™ designation, contact:
Andre Ristaino, ISCI Managing Director, at aristaino@isa.org
About ISA
Founded in 1945, the International Society of Automation (www.isa.org) is a leading, global, nonprofit organization that is setting the standard for automation by helping over 30,000 worldwide members and other professionals solve difficult technical problems, while enhancing their leadership and personal career capabilities. Based in Research Triangle Park, North Carolina, ISA develops standards; certifies industry professionals; provides education and training; publishes books and technical articles; and hosts conferences and exhibitions for automation professionals. ISA is the founding sponsor of The Automation Federation (www.automationfederation.org).
About the Automation Federation
The Automation Federation is a global umbrella organization of sixteen (16) member organizations and five working groups engaged in automation activities. The Automation Federation enables its members to more effectively fulfill their missions, advance the science and engineering of automation technologies and applications, and develop the workforce needed to capitalize on the benefits of automation. The Automation Federation is the “Voice of Automation.” For more information about the Automation Federation, visit www.automationfederation.org.
About the ISA Security Compliance Institute
Founded in 2007, the ISA Security Compliance Institute’s mission is to provide the highest level of assurance possible for the cyber security of industrial automation control systems.
The Institute was established by thought leaders from major organizations in the industrial automation controls community seeking to improve the cyber security posture of Critical Infrastructure for generations to come. Founding Members include Chevron, ExxonMobil Research and Engineering, Honeywell, Invensys, Siemens, and Yokogawa. Key Technical Members include exida, IPA-Japan, CSSC, Codenomicon and, RTP Corp.
The Institute’s goals are realized through industry standards compliance programs, education, technical support, and improvements in suppliers’ development processes and users’ life cycle management practices. The Institute’s ISASecure™ designation ensures that industrial automation control products conform to industry consensus cyber security standards, providing confidence to users of ISASecure products and systems and creating product differentiation for suppliers conforming to the ISASecure specification. www.isasecure.org.
ISASecure® is a registered trademark of the Automation Standards Compliance Institute.