The ISA-62443 series of standards, being developed by the ISA99 committee of the International Society of Automation (ISA) and adopted globally by the International Electrotechnical Commission (IEC), is designed to provide a flexible framework to address and mitigate current and future vulnerabilities in industrial automation and control systems (IACS).

A newly published standard in the series, ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels, addresses risks arising from the growing use of business information technology (IT) cyber security solutions to address IACS cyber security in complex and dangerous manufacturing and processing applications.

IACS security goals typically focus on control system availability, plant protection, plant operations, and time-critical system response. IT security goals, in contrast, often focus more on protecting information than physical assets. For this reason, use of IT cyber security solutions to address IACS security must be implemented knowledgably to prevent unintended vulnerabilities that could lead to potentially disastrous health, safety, environmental, financial, and/or reputational impacts in deployed control systems.

The new ISA99 standard addresses this concern with an approach to defining system requirements that is based on a combination of functional requirements and risk assessment, and an awareness of operational issues. The standard provides detailed technical control system requirements associated with seven foundational requirements described in the groundbreaking first ISA99 standard, ISA‑62443‑1‑1 (99.01.01), including defining the requirements for control system capability security levels. Those responsible for IACS cyber security will use these requirements in developing the appropriate control system target security levels for specific assets.

“This standard provides highly relevant and practical direction to asset owners, system integrators and suppliers by describing the major system-level technical requirements for a secure IACS,” stated ISA99 Co-Chair Eric C. Cosman of the Dow Chemical Company. “It serves as a cornerstone in the ISA-62443/IEC 62443 series, complementing other standards including ISA-62443-2-1, which addresses the processes and procedures needed for security.”

The ISA99 committee drew on the input and knowledge of IACS security experts from across the globe in developing the standard. Unlike programs targeted at a single industry, ISA99 is applicable to all industry sectors and critical infrastructure in recognition of the interrelated nature of industrial computer networks in which cyber vulnerabilities exploited in one sector can impact multiple sectors and infrastructure.

“The new standard represents a collaborative effort of experts from multiple industries around the world,” stated the ISA99 task group leader for the project, Jeff Potter of Emerson Process Management. “Our intensive series of revise-and-review cycles has resulted in a rigorously reviewed standard reflecting the best current thinking in control systems security. Our joint work with IEC experts provides users with further assurance that this is a truly global standard that can be used to design, build, operate and regulate with full confidence in its longevity and cross-national applicability.”

The exida Cybersecurity Scorecard Program™ is an independent evaluation of the cybersecurity capabilities and robustness of a product or system. The evaluation criteria is based upon industry standards and specifications such as ISA/IEC 62443 (formerly ISA 99), NERC CIP, NIST 800-82 and WIB. Cybersecurity Scorecard is not pass/fail. Rather, it is straightforward evaluation and reporting of the facts – analogous to a CarFax® report. It can serve as an indication of readiness of a product for certifications such as ISASecure™ or Achilles™.

A Cybersecurity Scorecard offers a quick and inexpensive solution for companies that want or need to know the security posture of their products.

• Provides product management with an independent evaluation of their device or system’s security
• Identifies security vulnerabilities in devices or systems before “the bad guys do”
• Aides developers in identifying and remediating security bugs
• Provides documented third-party appraisal that can be shared with prospective customers
• Quick and inexpensive – most devices can be assessed in less than a week and for less than $10,000
• Allows suppliers to evaluate the feasibility of full security certification without the risk

Learn More about the program here

exida, the global leader in functional safety certification for the process industries, has certified Moore Industries’ SSX and SST Safety Series isolator and splitter for functional safety, ensuring that they meet the functional safety requirements for Safety Integrity Level (SIL) 2 capability per IEC 61508:2010.

“Moore Industries continues their commitment to the functional safety market with another certification,” said Dr. William Goble, exida Principal Engineer. “They have published a good FMEDA report and safety manual and have an excellent development process.”

“We are confident using exida as our functional safety certification body as they offer in-depth technical expertise,” said Tina Lockhart, Director of Engineering at Moore Industries-International, Inc. “Their policies regarding change control are tough but practical.”

Moore Industries’ new SSX and SST Safety Series isolators and splitters provide reliable isolation and signal conversion for critical loops in Safety Instrumented Systems (SIS). These units also pass critical HART® data that may be needed by safety logic solvers or other auxiliary monitoring and asset management systems. Part of Moore Industries’ FS FUNCTIONAL SAFETY SERIES, the two-wire (loop powered) SSX and four-wire (line/mains powered) SST joins products from Moore Industries such as the STA Safety Trip Alarm and the SRM Safety Relay Module that have also been developed following the strict IEC 61508:2010 standards for safety-related applications.

More information on Moore Industries’ FS FUNCTIONAL SAFETY SERIES can be found at http://www.miinet.com/safetyseries/.

Rockwell Automation today announced an initiative to help manufacturers reduce security risks to control systems in response to growing cyber-security threats. The initiative will help automation and IT professionals more effectively secure their industrial processes with a combination of control system design and best practices, contemporary technologies and professional services from Rockwell Automation and its strategic partnerships, including Cisco.

“The rapidly evolving nature of the industrial security landscape makes it critical that today’s manufacturers view security as an ongoing business imperative, rather than a one-time investment event,” said Sujeet Chand, senior vice president and chief technology officer, Rockwell Automation. “A more secure network infrastructure will allow manufacturers to deploy contemporary technologies and emerging solutions, like mobility, virtualization and cloud computing, while still performing mission-critical automation functions. Rockwell Automation is dedicated to providing the technologies and resources that will help facilitate the design and management of a secure connected enterprise.”

Three-pronged Rockwell Automation initiative is designed to achieve a secure connected enterprise through the following:

Defense-in-Depth Methodology: Addressing both internal and external threats by forming multiple layers of defense which help mitigate various types of risks. The Rockwell Automation defense-in-depth approach employed in an industrial control system design and operation helps manufacturers by establishing processes and policies that identify and contain evolving threats in industrial systems.

Secure Automation Architecture: The industrial control system represents the heart of production, and the security of information used for control, configuration and monitoring is critical. Rockwell Automation is committed to providing an evolving set of products and services that help to reduce risks, and better protect and enhance the security of your production assets. From active consulting engagements to specific product offerings, such as managed switches, secure communications, user authentication and access control, and end-point capabilities for tamper proofing and tamper evidence, Rockwell Automation is continuing to make investments to bring security practices and products to its customers.

Enterprise-Ready Industrial Security Solutions: By teaming with Cisco and other industry leaders in physical network designs and software applications, Rockwell Automation is addressing both IT and industrial automation security challenges. Leveraging open-standard technology, Rockwell Automation and Cisco are helping manufacturers build a unified, secure environment from the enterprise to the end device on the plant floor. Together, the companies advocate for a common network architecture approach that helps decrease inconsistencies in network protocols, security practices and training. In the future, Rockwell Automation and Cisco will offer guidance on topics, such as resilient network design, access control, contextual identity management and protection of assets, through a portfolio of jointly developed industrial products and industrial control system security resources.

“Rockwell Automation and Cisco are leading the way in helping manufacturers recognize that information security spans from the plant floor through the enterprise,” said Guido Jouret, vice president and general manager of the Internet of Things business unit for Cisco. “It’s important to take what we’ve learned in the IT space and educate manufactures on the business value associated with taking a consistent and seamless approach to security. Together we’re delivering expertise and solutions to help secure their important physical and intellectual assets in a world with dynamic security threats.”

The industrial security initiative from Rockwell Automation is based on a multilayer network design approach that combines resiliency in the infrastructure with security-enabled, end-point devices to help manufacturers establish a sustainable security culture, conduct comprehensive security assessments, and deploy a robust security infrastructure across both automation and industrial IT assets. Core to the initiative is implementation of a secure network infrastructure based on the use of the standard Internet Protocol (IP).

For more information on best practices for security and defense strategies, download the Rockwell Automation and Cisco white paper on design considerations for securing industrial automation networks.