Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

In Conversation with Authors of ISAGCA White Paper on Zero Trust and ISA/IEC 62443

The ISA Global Cybersecurity Alliance (ISAGCA) recently published a white paper exploring the application of zero trust in operational technology (OT) and the significance of the ISA/IEC 62443 series of standards — the world’s leading consensus-based standards for control systems cybersecurity — in achieving a robust zero trust framework. 

Titled Zero Trust Outcomes Using ISA/IEC 62443 Standards, this white paper was authored by highly regarded industry experts, three of whom also held a webinar on 24 October 2024 to continue the conversation:

  • Danielle Jablanski, ICS Cybersecurity Strategist, Cybersecurity and Infrastructure Security Agency (CISA)
  • Andy Kling, VP Cybersecurity, Schneider Electric
  • Bob Pingel, OT Cybersecurity Strategist, Rockwell Automation

We asked the speakers for their insights into the creation of the white paper as well as the shifting definitions and adoption strategies around zero trust in OT. Anyone  interested in a brief, high-level introduction to a few topics covered in the webinar may refer to this recent blog post. A full recording of the webinar is also available here.

Note: The following responses have been lightly edited to conform to editorial guidelines.

Danielle Jablanski on the Effort Behind the White Paper

"The effort behind this white paper was to help professionals across automation and OT industries think through key responsibilities and decision points in considering where and how to implement zero trust priorities across their security programs and policies. This was the driver for the sections being outlined as 'cost/benefit considerations' where mission, criticality, infrastructure, tools and reliability are all considered in the reasoning, implementation and management of security controls and procedures. There is no one-size-fits-all or commercial off-the-shelf deployment of 'zero trust,' and we hope that the five steps to applying zero trust written in the paper will help asset owners to scope their implementations in a useful and pragmatic way."

Bob Pingel on Expectations for the Future of the Zero Trust Approach in OT

"The world of OT security is changing rapidly. Regulations in many geographies demand the adoption of security and, in some cases, specifically zero trust. This greater adoption will drive innovation and smooth out some of the speed bumps to success we see today. Of those speed bumps, one of the the biggest is production downtime in brownfield environments due to remediation and control deployment. Innovative security solutions will allow bumpless deployment with near-zero downtime, resulting in dramatically shorter time to value."

Danielle Jablanski on Zero Trust Implementation

"As I mentioned in the webinar, one key takeaway from developing a zero trust implementation is the ability to construct multiple levels of validation for users, systems and access across your networks. This type of strategic implementation provides organizations with the potential to identify or irradicate malicious actors/activities before lateral movement and privilege escalation, leading to a reduction in dwell time for threat actors and a reduction in the potential severity of cyber incidents. While that is a shared goal of many tools and capabilities in the security domain, it must also be extended across environments and networks in a more strategic effort than many point solutions in cybersecurity may offer."

Andy Kling on the Value Proposition for Zero Trust in OT

The following remarks were made in response to an audience question from the webinar.

"Zero trust brings a base philosophy that allows you to start to organize your cyber strategy. You can say, 'We're going to start from not trusting anything, and from there, we're going to build up our cyber strategy.'"

Cyber Strategies Are Improving

Citing statistics released by Mandiant the week of 22 October 2024, the speakers asserted that cybersecurity postures are strengthening. In 2018, the average time to execute on CVEs disclosed was estimated to be about 63 days. By 2023, however, the average time to execute on known vulnerabilities had fallen to just five days. 

Continue the Conversation

The speakers emphasized that they welcome feedback, and they are interested in continuing the conversation around zero trust in OT. To learn more about the speakers' thoughts and recommendations around zero trust in OT, listen to the full webinar recording and download the ISAGCA whitepaper they helped to author.

Kara Phelps
Kara Phelps
Kara Phelps is the communications and public relations manager for ISA.

Related Posts

What Does the Future of Zero Trust in OT Look Like?

Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwi...
Jacob Chapman Dec 20, 2024 7:00:00 AM

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM