At this moment, we as a society are witnessing how crucial supply chains, manufacturing, and critical infrastructure are to the smooth running of modern civilization. The global pandemic crystallizes the importance of critical infrastructure to everyday citizens, who, in the past, may have taken for granted what it takes to keep consumer goods hitting store shelves or ample medical equipment humming in hospitals. But those of us who work in the industrial world have long understood the role our critical infrastructure plays in maintaining civil health and safety, both in times of crisis and in calm.
This is why the International Society of Automation (ISA) has taken such a keen interest in helping all of us stakeholders in industrial control systems to improve the state of our cybersecurity for operational technology (OT). Cybersecurity awareness and readiness plays a vital role in the sustainability and resilience of critical infrastructure environments. Last year, ISA started the ISA Global Security Alliance (ISAGCA), intending to raise the bar on OT cybersecurity.
With the help of founding member companies from across the industrial control systems ecosystem, including vendors, end-users, systems integrators, solution providers, and cybersecurity companies like the one I work for (Dragos), ISAGCA is making OT cybersecurity progress on many important fronts. This post is the start of a blog series on the major topics the ISAGCA has undertaken in 2020. The next post will address the traditional information technology (IT) person’s perspective as they are immersed into an OT environment. Finally, we will cover the objectives of IT and OT cybersecurity. We will discuss where they intersect, tools they might use, what collaboration looks like, and most importantly, what IT/OT convergence really means.
Here's how the ISA Global Cybersecurity Alliance plans to make a difference in 2020 and beyond:
With a roster of more than 30 multinational industrial-technical providers and other key stakeholders, ISAGCA has established itself as a facilitator for important industry-wide collaboration and a conduit for communication focused solely on OT cybersecurity issues.
Developing and Revising Standards
As a leader in standards development for management and safety in modern automation and control systems, ISA has a lot of experience building consensus around best practices and more. In the run-up to the establishment of ISAGCA, ISA and the International Electrotechnical Commission (IEC) developed the ISA/IEC 62443 Series of Standards, which lays out requirements, procedures, and assessment practices for securing automation and industrial control systems. (Note: a "Quick Start Guide" to this series has been made available for download.) ISAGCA will help facilitate further refinement of standards like these and the development of others as the alliance identifies future needs.
The rich tapestry of expertise and resources that span across ISAGCA membership makes the group a hub for effective sharing of information and tools that can help all critical infrastructure stakeholders stay a step ahead of threats targeting the facilities, processes, communities, and industries they support. For example, Dragos will bring its years of cybersecurity expertise to the table to collaborate with ISAGCA members to develop tools for industrial asset owners to better manage their cybersecurity lifecycle. This is one of many initiatives on the horizon.
The core mission of ISAGCA is to build awareness and extend education on OT cybersecurity across the automation and industrial control ecosystem. The thought leaders across the alliance membership roster have been hard at work developing content and educational material to support our first Cybersecurity Standards Implementation Conference. Initially slated for May, we've had to postpone due to the coronavirus. In the meantime, we are exploring some virtual options to share some of the content with users as we go into the summer months. We'll keep everyone apprised of the situation, but rest assured this will be a great first offering to learn about important subjects, including resilient system design, risk assessment and prioritization, industry/organization change management, and more.
As we move ahead in 2020, consider looking here at the ISAGCA blog for more educational blogs to learn how to get started advancing OT cybersecurity. As we said previously, this is just the first blog in a series. Stay tuned for plenty of essential pointers in the months to come.