"The nicest thing about standards is that there are so many of them to choose from."
- Ken Olsen, founder of Digital Equipment Corp., 1977
"Laws are like sausages. It is better not to see them being made."
- Otto von Bismarck
These observations sum up the popular view of standards-making. It is a complex, sometimes unpleasant process that takes entirely too long and often doesn't achieve the hoped-for goal—not exactly the description you would use to convince people of the value of the standards process, or to encourage them to contribute.
I offer a somewhat different perspective, based on my experience with the ISA99 committee on Industrial Automation and Control Systems Security.
The ISA99 committee currently has over 500 members, organized into several work and task groups. Each of these groups is focused on a particular area, with specific objectives and assigned work products.
While the majority of the registered committee members could be characterized as "lurkers" who have presumably joined in order to monitor developments in this area, there is a core group of dedicated volunteers, who have given generously of their time to identify and develop several concepts that are slowly, but surely making their way into common practice.
Committee Work Products
Since its inception in 2002, this committee has produced several standards and technical reports, with several others in various stages of development. The name of this series was originally ISA-99, as in "the ISA-99 standards," but more recently they are being rebranded using the nomenclature "ISA-62443" as a means of emphasizing the alignment with the corresponding work products from IEC with the assigned number "IEC 62443."
An overview of the committee work plan is shown in Figure 1.
This plan calls for the development of at least 11 separate work products (i.e., standards or technical reports) that collectively address the subject of IACS security. While the majority of these will be produced by the ISA99 committee, there is also provision for inclusion of work products sponsored by IEC Technical Committee 65, Working Group 10.
These work products are in turn organized into four tiers.
Documents in the first tier (ISA-62443.01.xx) address general subjects that establish the basis of the series. They include the first standard in the series, originally completed in 2007, as well as a master glossary and a description of common metrics. The other two are currently in development and may in fact not be released until all other documents are completed.
Documents in the second tier (ISA-62443.02.xx) address various aspects of how to define and operate an effective security program for industrial control systems. Although program definition and operation are currently addressed in separate work products, the direction is to consolidate these into a single standard.
Finally, the documents in tiers three and four delve into the requirements that must be met at both the overall systems and the component level in order for a control system to be considered secure. Of these, the ISA-62443.03.03 standard has recently been approved by the committee and is being revised for publication. The corresponding IEC 62443 version has also been approved.
A detailed description of each of the work products is beyond the scope of this article, but more information is available on the committee web site, including copies of the current working drafts of each document.
There are several fundamental concepts that collectively form the basis for the ISA-62443 series.
The first of these is a set of Foundational Requirements that in turn is the starting point for more detailed requirements in the remaining documents in the series. They include:
- Identification and authentication control
- Use control
- Data integrity
- Data confidentiality
- Restricted data flow
- Timely response to events
- Resource availability.
Each of these is described in more detail in ISA-62443.01.01.
The concept that perhaps has gained broadest acceptance is the practice of network segmentation, described in the standards as the definition of zones and conduits. Briefly this concept involves the logical division of a complex control system into a series of zones, each with a specific set of security related characteristics. These zones are interconnected via logical pathways called conduits. This approach follows the well-established principle of dividing a large problem into smaller pieces in order to address the stated requirements. Introduced in ISA-62443.01.01, the application of this concept is explored in much more detail in a companion standard (ISA-62443.03.02) that is devoted to the subject. Each of these standards is currently under revision or development. The zones and conduits concept is illustrated in the example shown in Figure 2.