The non-profit International Society of Automation (ISA) announced this week that Schneider Electric, Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks have all become the founding members of the Global Cybersecurity Alliance (GSA) to advance adoption of an ANSI/ISA 62443 series of automation and control systems cybersecurity standards developed by ISA.
The ANSI/ISA 62443 standards define requirements and processes for implementing electronically secure automation and industrial control systems and best security practices and assessing electronic security performance. That standard has already been adopted by the International Electrotechnical Commission (IEC 62443) and endorsed by the United Nations.ISA is inviting all interested parties to participate in the GSA initiative to transform industrial cybersecurity into a full-blown engineering discipline. Click To Tweet
Andre Ristaino, managing director for ISA, says the goal is to transform cybersecurity in industrial environments away from the witchcraft and art that is relied on today into a full-blown engineering discipline. Founded in 1945, ISA is bringing together manufacturers of industrial control systems that normally fight tooth and nail to drive a collective response to cybersecurity attacks that increasingly target critical infrastructure. As part of this ambitious effort, ISA is inviting all interested parties to participate in the GSA initiative, says Ristaino.
ISA will also work with members of the GSA to distribute best practices via The Automation Federation, a wholly-owned subsidiary of ISA that works closely with the ISA Security Compliance Institute and the ISA Wireless Compliance Institute. ISA also publishes Automation.com. In total, ISA claims to have more than 40,000 members participating in its various programs and initiatives.
Ever since it was discovered in 2010 that a Stuxnet WORM created by U.S. and Israeli intelligence agencies was able to cripple programmable logic controllers, the security of industrial control systems has been a major concern. Earlier this year Kaspersky Lab issued a report noting that in 2018 there were 61 vulnerabilities identified in industrial and IIoT/IoT systems, with only 29 of these vulnerabilities closed in 2018. Nearly half the vulnerabilities identified (46%) could lead to remote execution of arbitrary code on the target system or a denial-of-service (DoS) condition. A significant number of the vulnerabilities (21%) could also enable an attacker to bypass the authentication protocols that have been put in place on those systems.
The GSA is hardly the only organization focusing on cybersecurity for industrial control systems. For example, there have been more than three million downloads of a Guide to Industrial Control Systems Security published by the National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce.Many of the ICS in place today have been running for 10+ yrs. Given the mission-critical nature of the systems, including those on the electric grid, those legacy systems are a danger to us all. Click To Tweet
Increased awareness of the cybersecurity issues affecting industrial control systems is, of course, welcome. As more of these systems are connected to the Internet as part of a larger Internet of Things (IoT) trend, many organizations are just now discovering how vulnerable these systems really are. Undoubtedly, many of the manufacturers of these systems are hoping customers will upgrade to the more secure industrial control systems they are finally starting to make available. Many of the industrial control systems in place today have been running for a decade or more. Given the mission-critical nature of the systems, including one attached to the electric grid, many of those legacy industrial control systems represent a clear and present danger to us all.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.