Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

The Adoption of ISA/IEC 62443 as a Malaysian Standard

The Journey

On 12 November 2020, PETRONAS became a founding member of the International Society of Automation's (ISA) Global Cybersecurity Alliance (ISAGCA). By February 2021, we started joining ISAGCA Government Relations – Asia Pacific meetings where I first met Andre Ristaino, Managing Director of ISAGCA. We learned that ISAGCA aspires to designate and reference the ISA/IEC 62443 standard in a country’s law and regulatory policy. So, for Malaysia, we had started our efforts to support that.

In March 2021, we contacted the Malaysian National Cyber Security Agency (NACSA), the national lead agency for cybersecurity matters. However, we did not get any reply. We then contacted the Malaysian Communications and Multimedia Commission (MCMC), who later invited us to present to them on 7 April 2021. We invited Andre Ristaino, and he supported us to detail out the background of ISA/IEC 62443 and the intentions of ISAGCA to MCMC.

Midway through the meeting, MCMC explained to us that they are only a regulator for the converging communications and multimedia industry in Malaysia, meaning that matters pertaining to designating or referencing an international standard into Malaysia is not under their jurisdiction. MCMC suggested to us that we approach the Department of Standards Malaysia (DSM).

Approaching the Department of Standards Malaysia (DSM)

On 13 April 2021, we wrote to the Assistant Director of DSM. The Assistant Director replied three days later that there was already a working group on industrial networks related to the scope of ISA/IEC standards that we proposed. On 21 June 2021, DSM invited us to present our proposal to the Chairman of the Working Group (WG) on Industrial Networks (WG/S/0-5; BIL. 1/2021) on advocating the adoption of ISA/IEC 62443 into Malaysian standards. By 14 September 2021, the DSM agreed on our proposal to adopt ISA/IEC 62443 as Malaysian Standard (MS) ISA/IEC 62443, only for a select few standards that were not due for revision soon. Those that made the cut were ISA/IEC 62443-3-2, ISA/IEC 62443-4-1, and ISA/IEC 62443-4-2.

DSM requested us to form two Malaysian WG review committees to identify any major changes needed to customize the standards to meet Malaysian needs, one WG for ISA/IEC 62443-4-1 (led by Azmi Hashim) and the other for ISA/IEC 62443-3-2 and ISA/IEC 62443-4-2 (led by Michael Ng Chien Han, an ISA Malaysia Section member, and a PETRONAS staff member).

Our WG review committees comprised of representatives from energy players (namely, PETRONAS and Tenaga Nasional Berhad), vendor and system integrators (namely, Endress+Hauser Sdn. Bhd., and Abbaco Controls Sdn. Bhd.), special interest groups (namely, The Electrical and Electronics Association of Malaysia [TEEAM], and The Institution of Engineers, Malaysia [IEM]), academic institutions (namely, Universiti Teknologi PETRONAS, the University of Malaya, and Universiti Putra Malaysia), accounting firms (KPMG), and DSM as secretariat.

We successfully reached consensus within the committee to adopt the three international standards as they were without any major changes. The MS would be identical to the corresponding ISA/IEC 62443 standards. However, for the purpose of MS, the following minor applications were necessary:

  1. in the source text, the phrase “this International Standard” was replaced with “this Malaysian Standard,”
  2. Any comma used as a decimal sign (if any) was replaced with a point or period, and
  3. only the English version, not the French version, is retained in the Malaysian Standard.

At the time of this writing, the three documents are currently undergoing public comment from 15 August 2022 to 14 October 2022.

MS Fig 1 DecDraft of the Malaysian Standards (DMS) ISA/IEC 62443 were made available for public comment

Challenges

First, in promoting the adoption of a particular international standard as a MS, we did not get the correct department right the first time. We spend a few months figuring that out.

Secondly, there was a long interval from one milestone to another, typically a few months in between. It was very likely that the government agencies had internal stage gates that did not make the process any faster.

Lastly, we were new to DSM, yet they requested us to lead a Malaysian WG review committee comprised of more veteran members. It was during the height of COVID, so we couldn’t meet those members physically. We couldn’t establish any initial face-to-face bonding, so we felt a bit at a disadvantage leading the committee. Fortunately, the WG members all acted professionally, cooperated very well, were timely, and even offered help connecting us with more members.

MS Fig 2 DecMalaysian Standards (MS) development process from the MS Development Process - JSM Portal

The Journey Ahead

The adoption of ISA/IEC 62443 in its entirety is a continuous process.

ISA/IEC 61508 and ISA/IEC 61511 were adopted in 2010 as MS ISA/IEC 61508 and MS ISA/IEC 61508. By adopting these international standards as MS, small and medium enterprise (SME) industries in Malaysia are able to buy and access the standards at subsidized and therefore affordable prices. With full access and therefore conformance to the MS ISA/IEC 62443 standards, SMEs can improve their cybersecurity maturity. This will help Malaysia achieve cybersecurity resilience, thus protecting against cyber-attacks. Foreign investors will have more confidence to invest in Malaysia and thus boost our economy further. The vision to ultimately improve Malaysian society’s quality of life and achieve global competitiveness for Malaysian products and services can therefore be achieved. We look forward to adopting the other remaining standards next.


About the Authors

ABHAzmi Bin Hashim, Board Member, ISA Malaysia Section

Azmi Bin Hashim is Principal Engineer, Instrument and Control (I&C), in Group Technical Solutions (GTS), Petroliam Nasional Berhad (PETRONAS) since 2012. Previously he spent 17 years in the Malaysian Refining Company Sdn Bhd as an Electrical and Instrument Project Engineer and later as a Staff Engineer, I&C. During his tenure, he lead turnaround works for I&C field devices, a group-wide line trainer, reviewer of company technical standards, and has facilitated Instrumented Protective Function & Alarm Rationalization studies. Azmi currently leads Operational Technology (OT) Cybersecurity governance across all PETRONAS sites and oversees deployment of OT cybersecurity solutions at all production sites. Azmi gained his Bachelor of Science in Electrical Engineering from Cornell University. He holds Expert certification in ISA/IEC 62443 Cybersecurity.

SAR
Sharul A. Rashid, President, ISA Malaysia Section

Sharul A. Rashid is the PETRONAS Group Technical Authority and Custodian Engineer, Instrument and Control. He is co-chair of the Certification Work Group (CWG) of the Open Process Automation Forum (OPAF). He is also the Steering Committee (SC) member for JIP33 (IOGP) (International Oil & Gas Producer), the Vice-Chair ISAGCA (International Society Automation - Global Cybersecurity Alliance, Vice-Chair IASSC (Instrument Automation Standards Subcommittee) for IOGP. Additionally, he is the voting member for ISA-75 and NSC 19 / TC 15 for Smart Manufacturing. He is also the Team Leader for Smart City project for PETRONAS. Sharul has more than 30 years of experience in handling instrumentation and control issues in oil & gas, gas liquefaction, and petrochemical plant including pipeline transmission network. Sharul advises not only within his Group Technical Solution but also plant PETRONAS-wide on instrumentation and control issues. He is involved as an instrumentation expert in many key PETRONAS projects e.g. Kerteh Compressor Station, Peninsular Gas Utilization metering stations and MLNG Satu Rejuvenation and MLNG Dua Debottlenecking.

Related Posts

Securing Industrial Networks Can–And Should–Be Simple

A version of this blog originally appeared on Cisco
Andrew McPhee Jan 24, 2023 5:30:00 AM

Double Extortion Ransomware: What It Is and How to Respond

New attack methods in the cybersecurity landscape continue to emerge in the digitally driven world. One t...
Zac Amos Jan 17, 2023 5:30:00 AM

Defending Remote-Friendly Environments from Cyberattacks

This blog has been repurposed from the December 2022 issue of InTech
Damon Purvis Jan 10, 2023 5:30:00 AM