The International Society of Automation (ISA), along with the ISA Security Compliance Institute (ISCI), has announced its intention to create an all-new conformity assessment scheme for automation systems deployed at operating sites—a critical and long overdue addition to the landscape of operational technology (OT) cybersecurity solutions.
Based on the world’s only consensus-based automation and control systems cybersecurity standards—ISA/IEC 62443—the OT cybersecurity site assessment scheme will apply to all types of automation and control systems in industries ranging from traditional process industries to critical infrastructure such as oil and gas, chemicals, and water/wastewater.
Suppliers have broadly adopted the leading international standard for OT cybersecurity, ISA/IEC 62443, as well as its certification scheme, ISASecure, for commercial off-the-shelf (COTS) automation and control system products and supplier’s security development practices. ISASecure recently released an IIOT component and gateway certification program (ICSA) to remain current with new technology advances. However, asset owners and plant managers have yet to coalesce around a single cybersecurity assessment scheme for OT deployed at operating sites, relying instead upon a patchwork of third-party specifications that may not promote industrial control system (ICS) security best practices, leaving operating sites vulnerable.
“The proposed site assessment scheme will have a critical role in the OT cybersecurity landscape—the automation systems at the operating site itself,” said Brandon Price, ExxonMobil Senior Principal Engineer for ICS Cybersecurity and current ISCI Board Chairman. “This standards-based program is unique, and we anticipate it will become the global standard used by operating sites, certification bodies, internal auditors, and public policy makers.”
The program will encourage the broad industry adoption of the ISA/IEC 62443 operating site cybersecurity standards and best practices. ISA and ISCI plans include building and overseeing a related training and credentialing program for site assessors. ISA and other training organizations already offer training for the ISA/IEC 62443 operating site standards.
“We are inviting companies who are interested in supporting and promoting this program to participate; particularly end-users whose support is critical to this program’s success. Supporters may participate in specification development, provide funding, or simply provide public support,” said Andre Ristaino, Managing Director of ISA Consortia and Conformity Assessment Programs.
“We anticipate a development schedule of 12-14 months and expect to formally launch the program in Q4 2023 or early 2024,” said Ristaino.