Cybersecurity Advocate Jan/Feb 2022

The Cybersecurity Advocate is the newsletter published by the ISA Global Cybersecurity Alliance (ISAGCA). ISAGCA is a collaborative forum of member companies that aim to advance cybersecurity awareness, education, readiness, and knowledge sharing industry-wide, on a global scale. The alliance’s objectives include expanding the development and use of the ISA/IEC 62443 series of standards, knowledge-sharing in an open environment, providing best practice tools to help companies secure their infrastructure, creating education and certification programs, and advocating for cybersecurity awareness and sensible approaches with world governments and regulatory bodies.

Megan Samford, ISAGCA Chair, talked about 2021 ISAGCA goals and how we exceeded them
She also talked about ISAGCA 2022 goals:
- Making 62443 a horizonal standard is a priority for 2022; we hope to also work on 62443 template documents for specific industrial sectors, like creating a template with building standards
- Everyone wants to see 62443 as a horizontal standard, including DHS and other governments globally
- ISAGCA needs volunteers to help work on our 2022 goals so we can be successful
- ISAGCA needs to operationalize the connections between ISAGCA and the ISA chapters, IEC, and other organizations
- Sharul Rashid, ISAGCA Vice-Chair, added that ISA/IEC 62443 is being accepted in Asia countries and he will be meeting with more countries in the region to promote referencing ISA/IEC 62443 into laws and regulations

Megan Samford

ISAGCA Advisory Board Chairman

Megan Samford is the Vice President and Chief Product Security Officer for Energy Management at Schneider Electric. She is responsible for driving the product security strategy and programs for Schneider Electric's Energy Management business with a focus on industrial control systems security, critical infrastructure protection, and risk analysis.

Sharul Rashid

ISAGCA Advisory Board Vice-Chairman

Sharul A. Rashid is the PETRONAS Group Technical Authority and Custodian Engineer, Instrument and Control. He is co-chair of the Certification Work Group (CWG) of Open Process Automation Forum (OPAF), Steering Committee (SC) member for JIP33 (IOGP) (International Oil & Gas Producer), and Vice-Chair IASSC (Instrument Automation Standards Subcommittee) for IOGP.

Andre Ristaino

ISAGCA Managing Director

Andre Ristaino is the Managing Director, Global Consortia, Conformity Assessment at the International Society of Automation. His scope of responsibilities include ISAGCA, ISASecure, LOGIIC, and ICS4ICS. Andre has extensive experience working to develop and manage program to promote the development and deployment of cybersecurity capabilities for numerous industries.

Recently published blogs:
- December 28th, 2021: “Automation Systems Cybersecurity: From Standards to Practices”
- December 21st, 2021: “Cybersecurity Preparedness Depends on Procedures and Infrastructure”
- December 14th, 2021: “Recent Activity in Dragos Tracked Activity Groups”
ISAGCA Cross Reference Team is working on mapping 27001/2 requirements and controls to 62443-2-1 Security Program Elements (SPE’s) and is ready for review by the full ISAGCA team and ISA99 Committee. The Cross Reference Team completed their review of 62443-3-3 mapping to NIST CSF in NIST OLIR format (Online Informative Reference) and the document is being prepared for ISA99 and NIST review. Team members have proposed projects such as 62443 mapping to NERC CIP and the IIoT catalog of requirements and/or federal profile in NIST 800-213A.

Completed ISCI and ISAGCA Joint IIoT Study on component-level certification: isa.org/iiotstudy
- Study Preview Q&A
ISAGCA IIoT Team is now working on a system-level study to analyze the cloud provider role in comparison to existing ISA/IEC 62443 roles and enumerate the types of possible IIoT certifications and corresponding 62443 standards. The team is working through comments. One more chapter remains, which will discuss potential enhancements to ISA/IEC 62443 for IIoT system certifications.

You are welcome to participate for free in standards development activities by joining the ISA99 Committee. Visit the ISA99 LinkedIn Group to learn more about these efforts. Email isa99chair@gmail.com to become a member or ask standards-related questions or make comments. These are the current ISA99 Committee efforts:

1-1 Concepts and Models revision updates are out for public comment
2-1 Security for Asset Owners revision were submitted for public comments
2-2 Principal Roles for Security Program Ratings revision are out for public comments
2-3 Patch Management Program from TR to Standard are being prepared for IEC review
2-4 Security Requirements for Service Providers are being work with IEC TC65WG10 to incorporate comments for the next revision
3-1 - Security Technologies for IACS will be updated by the revised WG01 (Work Group 1) committee
3-3 Security Levels are being revised
IEC has assigned tasks to committees for them to assess how they will update their vertical standards to include ISA/IEC 62443 now that it is an IEC horizontal standard
Electrical Sub-station sector profile will be created with relevant ISA/IEC 62443 standards; The team will engage DOE CESAR (existing standard 61850 TC57) and work with IEC for internationalization of this effort

Recently published blogs:
- November 30th, 2021: “Cybersecurity Investment Tax Credits”
U.S. Public policy position paper describes how ISA/IEC 62443 can be used to achieve the goals of U.S. Executive Order 14028 issued on May 12, 2021.
- U. S. Public Policy webpage provides information about how ISA 62443 can be used in the U.S. to help protect the critical infrastructure of the nation.
- Briefing Video (4-minute version)
- Briefing Video (8-minute version)

NY State Senate Bill S7312 (nysenate.gov) submitted to:
- Require Asset Owners / Operators to include ISA/IEC 62443 standards into their procurement processes when constructing or modifying IACS, and ensure compliance with these standards
- Require Asset Owners / Operators to operate their IACS using ISA/IEC 62443 standards
Senate Bill 828 (2022) - The Florida Senate (flsenate.gov) and House Bill 1147 (2022) - The Florida Senate (flsenate.gov) submitted to:
- Require Government Operators to reference ISA/IEC 62443 standards as part of their procurement processes to construct or modify IACS, and ensure compliance with these standards

USA Federal Advocacy Team was recently formed to include references to ISA/IEC 62443 for these sectors:
- Energy Sector: Work with DOE CESER on their efforts to expand Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program
- Oil & Gas Sector: Provide input to TSA and to engage with influential stakeholders in the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) and the Cybersecurity & Infrastructure Security Agency (CISA)
- SICI (Systemically Important Critical Infrastructure): Provide industry and public feedback on the SICI bill once it is shared or introduced
- Water & Wastewater Sector: Meet with key stakeholders in the Water & Wastewater sector to help ensure 62443 is either referenced as one of or considered as the foundational standard upon which sector-specific guidance will be built upon
- NIST Cyber Security Framework (CSF): Contribute to the NIST CSF revision to include additional references to new ISA/IEC 62443 standards created since the first version of the NIST CSF

Europe efforts have focused on referencing IEC 62443 by the IEC standards working groups to address cybersecurity requirements for IACS; IEC recently designated IEC 62443 as a Horizontal Standard:
Asia-Pacific focus has resulted in IEC 62443 being referenced in laws and regulations:
- Singapore law (2018) referenced IEC 62443
- India standards reference IEC 62443
  - We have engaged the Indian Power Sector to determine if ISAGCA can help them further expand the use of IEC 62443 in their sector
- We obtain an agreement for Malaysia government parties to reference specific IEC 62443 standards
  - Will use these efforts in Malaysia as a model for engaging other Asia-Pacific countries

ISAGCA will soon create a Europe webpage and separate Global webpage to assist people in those regions to help advocate for inclusion of ISA/IEC 62443 into laws, regulations, and other international standards