Though its governing board was formed only in this year’s first quarter, the ISA Security Compliance Institute (ISCI) is moving quickly down the path toward producing its first specification for cyber security compliance testing of industrial automation control products.
The group, an industry consortium affiliated with the Instrumentation, Systems and Automation Society (ISA), expects to produce a first draft of an embedded controller security assurance specification by the end of 2008, said Andre Ristaino, managing director of the ISA Automation Standards Compliance Institute. “And by the first quarter of 2009, we think it’s possible that we could be doing compliance testing,” Ristaino added.
Ristaino made his comments during a meeting sponsored by ISCI and the ISA SP99 committee during the Process Control Systems Industry Conference Aug. 26-28 in La Jolla, Calif.
Unlike the SP99 committee, which is developing an industrial automation and control system security standard, ISCI is defining a security test specification for control systems products. The intent is to provide the automation industry with security conformance testing that can be integrated into the product development lifecycle of control products, resulting in products that will be intrinsically more secure. “We’re not going to be able to address everything, but at least there will be some known baseline, as a starting point,” Ristaino said. This will help eliminate costs for end-users, who today must validate and verify the security characteristics of each vendor’s products individually, he explained.
Control systems that achieve compliance under the tests will receive the ISASecure designation. “If you fast-forward to a couple of years from now, when users and operators are specifying products as part of their engineering process, there may be a check box for whether a product is on the ISASecure list,” Ristaino commented. “That will be a requirement for integrating certain devices into engineering products,” he predicted.
Two security testing companies—Mu Dynamics, of Sunnyvale, Calif., and Wurldtech Security Technologies Inc., of Vancouver, British Columbia, Canada—have committed to donating test specifications to the ISCI. These will provide the basis for the first version of the ISASecure designation, Ristaino said.
Strategic Founding Members of the ISCI include both end-user companies—BP, Chevron and ExxonMobil—and control system vendors—Honeywell, Invensys Process Systems, Siemens and Yokogawa. Each company has committed to provide two years of funding at $50,000 per year to the ISCI effort.