NOV-DEC 2017

Issue link:

Contents of this Issue


Page 13 of 61

14 INTECH NOVEMBER/DECEMBER 2017 WWW.ISA.ORG This challenge mirrors the dilemma faced by the emergency response community in the early days of the do- mestic preparedness program, when fire, EMS, public health, and law en- forcement agencies were rapidly being propelled into facing the threats and consequences of chemical, biological, radiological, nuclear, and other explo- sives. Getting a secure grasp on these new burdens required a new class of operational guidance and research resources, such as the lessons learned information system and the responder knowledge base, which maintained a current profile of best practices, suc- cessful demonstration projects, and available technologies and tools. From our initial observations, con- sideration should be given to the devel- opment of an overarching operational portal that provides a cohesive, com- prehensive resource to inform indus- try partners of available solutions, best practices, and pilot/demonstration project lessons learned to help their se- lection, acquisition, and implementa - tion of enhancements for security and resilience. It must be a resource avail- able to authorized users from equip- ment manufacturers, software devel- opers, systems integrators, operators, and operations and maintenance ser- vice entities and be capable of meeting the needs of these disparate communi - ties of interest. Industry stakeholders have empha- sized in various forums that voluntary critical infrastructure protection reli- ability standards for managing auto- mation and supply chain security risk should explicitly advance the best avail- able technology, but the community should not let compliance get in the way of innovation. Led by the early adopters, development of the aforementioned topology and the operational portal responds to this approach by aggregat- ing the best solutions to accelerate con- formance, compliance, and resilience within a competitive industry. Central question Organizations face the issues associ- ated with battling hackers and malware potentially infecting—and affecting— absent is centralized coordinating leadership to unify effort and enable effective action. ISASecure certification is highly rel- evant to the challenges of supply chain cybersecurity, because it demonstrates a product development life cycle that includes cybersecurity in all phases of the manufacture and integration, dem - onstrating an institutionalized commit- ment to securing industrial automation and control systems, not unlike the ear - ly impact that the ISO 9000 and 14000 series had on quality and environmen - tal management best practices. The ISASecure model deserves attention and scale up as a principal tool in the larger scale automation system supply chain cybersecurity. Regrettably, the good work of the organizations and programs identi- fied in figure 2 is only the tip of the iceberg, with scores of ad hoc working groups, committees, and program- based advisory bodies contributing to the body of knowledge, often out of the view of the principal beneficiaries (the utilities, the manufacturers, and the systems and software developers who comprise their supply chain). organization's systems, and then estab- lish the appropriate standards for busi- ness partners to meet, develop con- tract language that binds partners to those standards, and audit/assess the implementation of those standards by business partners. Figure 1 highlights the challenge facing those who must implement an effective cybersecurity program for the automation subsector supply chain. An abbreviated review of the recog- nized "certifying" organizations in terms of the currently available security tests, analysis methods, or evaluation tools offered has been performed. Figure 2 is a quick-look reference of the currently available cybersecurity-relevant assess- ment and compliance resources. Based on an inspection of the first- order assessment of available tools, our preliminary gap analysis suggests that there are many important efforts that contribute to cybersecurity assessment and compliance, but there is no domi- nant course of action being pursued by the industry to leverage the available tools for assessment, compliance, and ongoing best practices to implement protective measures. Conspicuously COVER STORY Figure 3. DarkNet for the electric grid

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - NOV-DEC 2017