The third fundamental concept is that of security levels. This concept is being developed and refined by the committee and will be described in detail in ISA-62443.01.01 and ISA-62443.03.02. Security levels are similar and complementary to the safety integrity level (SIL) concept that is described in standards such as ANSI/ISA-84.00.01-1996. Four separate types of security levels have been identified, corresponding to the desired or target level, the planned level for a particular system, the achieved level and the level of capability.
Security levels become an important attribute in an IACS zone once the zone boundaries and conduits have been defined. The levels are assessed over the lifecycle of the design.
This security level lifecycle is the fourth fundamental concept of the ISA-62443 series. A zone is assigned a target security level during the Assess phase of the security lifecycle. Countermeasures are implemented during the Implement phase to meet the target security level for the zone.
The achieved security level for a zone depends on various factors. In order to ensure that the achieved level is better or equal than the target level for the zone at all times, the countermeasures are audited, tested and upgraded, if necessary, during the Maintain Phase of the security lifecycle.
A much more detailed description of security levels and their determination will appear in the next edition of ISA-62443.01.01.
These Fundamental Concepts are an important element of the entire ISA-62443 series of standards. These and many other topics are more fully developed in other standards in the series.
The work of the committee takes place in meetings of the various work and task groups, the vast majority of which are conducted in the form of teleconferences. This allows for maximum flexibility and minimum cost for participation. Face-to-face meetings are conducted as required to address major issues and review and revise committee plans.
Let's go back to the perspectives offered at the beginning of this article. Are there several standards in the area of control systems security? Definitely, but at least in the context of the ISA99 effort, this complicated topic has been broken into smaller parts, each to be addressed by one or more standards in a series. Moreover, additional related topics are included through liaison relationships with organizations such as IEC.
Are the processes for standards development complicated? Perhaps, but they have been well-defined and are being applied in a manner that encourages, if not requires, broad and open participation in order to achieve the desire results. Furthermore, the individual members do not have to understand that myriad of procedural details in order to make a meaningful contribution.
Finally, does the process take too long? Possibly, but the true value of the concepts developed in this process can be harvested long before the final standards are completed or published. Participation in or even just monitoring the work of the committee is an excellent way to track developments and apply these concepts now.
More detailed information about the structure, operation and work products of the ISA99 committee can found at the Wiki site http://isa99.isa.org/.