Though its governing board was formed only in this year’s first quarter, the ISA Security Compliance Institute (ISCI) is moving quickly down the path toward producing its first specification for cyber security compliance testing of industrial automation control products.
The group, an industry consortium affiliated with the Instrumentation, Systems and Automation Society (ISA), expects to produce a first draft of an embedded controller security assurance specification by the end of 2008, said Andre Ristaino, managing director of the ISA Automation Standards Compliance Institute. “And by the first quarter of 2009, we think it’s possible that we could be doing compliance testing,” Ristaino added.
Ristaino made his comments during a meeting sponsored by ISCI and the ISA SP99 committee during the Process Control Systems Industry Conference Aug. 26-28 in La Jolla, Calif.
More secure
Unlike the SP99 committee, which is developing an industrial automation and control system security standard, ISCI is defining a security test specification for control systems products. The intent is to provide the automation industry with security conformance testing that can be integrated into the product development lifecycle of control products, resulting in products that will be intrinsically more secure. “We’re not going to be able to address everything, but at least there will be some known baseline, as a starting point,” Ristaino said. This will help eliminate costs for end-users, who today must validate and verify the security characteristics of each vendor’s products individually, he explained.
Control systems that achieve compliance under the tests will receive the ISASecure designation. “If you fast-forward to a couple of years from now, when users and operators are specifying products as part of their engineering process, there may be a check box for whether a product is on the ISASecure list,” Ristaino commented. “That will be a requirement for integrating certain devices into engineering products,” he predicted.
Spec donations
Two security testing companies—Mu Dynamics, of Sunnyvale, Calif., and Wurldtech Security Technologies Inc., of Vancouver, British Columbia, Canada—have committed to donating test specifications to the ISCI. These will provide the basis for the first version of the ISASecure designation, Ristaino said.
ISCI的战略创始成员包括BP,雪佛龙和埃克森美孚公司的最终用户公司以及控制系统供应商 - Honeywell,Invensys Process Systems,Siemens和Yokogawa。每家公司都承诺每年为ISCI努力提供两年的资金。