MAY-JUN 2018

Issue link:

Contents of this Issue


Page 32 of 53

INTECH MAY/JUNE 2018 33 AUTOMATION IT with the ID changed, the sensor will no longer be able to communicate with the program- mable logic controller or distributed control system. There may be an alert, but it may be too late to prevent a catastrophic failure. This is not just loss of view and loss of control, but a loss of safety. Because the cybersecurity of Level 0,1 devices is not being addressed elsewhere, the ISA99, In- dustrial Automation and Control Systems Secu- rity committee has established a new task group to identify if Level 0,1 devices are adequately addressed in the existing IEC 62443 series of standards, particularly IEC 62443-4-2, Techni- cal Security Requirements for IACS Components. After review of the document, it is clear that the existing IEC 62443 standards, and also Institute of Electrical and Electronics Engineers (IEEE) power industry standards, do not address the unique issues associated with Level 0,1 devices. Additionally, the definition of Level 0,1 needs to be reassessed in light of modern communica- tion and instrumentation technologies. Do Level 0,1 cybersecurity considerations affect other ISA standards in addition to ISA99? Yes, the considerations affect ISA18, Instrument Signals and Alarms; ISA50, Signal Compatibility of Electrical Instruments; ISA67, Nuclear Power Plant Standards; ISA77, Fossil Power Plant Stan- dards; ISA75, Control Valve Standards; ISA84, Process Safety Standards; ISA-88, Batch Control; ISA95, Enterprise-Control Integration; ISA100, Wireless; ISA108, Intelligent Device Manage- ment; and ISA112, SCADA Systems. Do Level 0,1 cybersecurity considerations affect other standards organizations? Yes, including standards from the IEEE, the In- ternational Electrotechnical Commission (IEC), the American Society of Mechanical Engineers (ASME), and the American Institute of Chemical Engineers (AIChE), to name a few. Is there coordination and cooperation between ISA and these other organiza tions? To date, informal at best, though there is outreach. Can Level 0,1 devices be compromised? Yes. As there are currently no cyber-forensics at this level, it is generally not possible to determine if a problem is a sensor or actua - tor mechanical/electrical problem, a process anomaly, or a cyberattack. And, there have been many sensor-related cybersecurity cata - strophic failures to date. n ABOUT THE AUTHOR Bill Lydon ( is chief editor of InTech. Lydon has been active in manufacturing automa- tion for more than 25 years. He started his career as a designer of computer-based machine tool controls; in other positions, he applied program- mable logic controllers and process control tech- nology. In addition to experience at various large companies, he cofounded and was pr esident of a venture-capital-funded industrial automation software company. View the online version at About Joe Weiss Joe Weiss, PE (, is a vot- ing member and managing director of the ISA99, Industrial Automation and Control Systems Security committee and managing partner at Applied Control Solutions, LLC (, which pro- vides thought leadership to industry and government in control system cybersecurity and optimized control system performance. He has more than 40 years of industrial instrumenta- tion controls and automation experience, coupled with over 18 years in industrial control systems cybersecurity. He has provided support to do- mestic and international utilities and other industrial companies, prepared white papers on actual control system cyberincidents supporting NIST SP 800-53, and supported the NRC on the regulatory guide for nuclear plant cybersecurity. Weiss co-authored a chapter on cybersecurity for Electric Power Substations Engineering (first and second editions) and a chapter in Securing Water and Wastewater Systems. He wrote the book, Protect- ing Industrial Control Systems from Electronic Threats and was featured in Richard Clarke and R.P. Eddy's book, Warnings – Finding Cassandras to Prevent Catastrophes. He has prepared two modules for the IEEE Educa- tion Society and is a U.S. expert to IEC TC65 WG10 and IEC TC45A. n RESOURCES ISA99 committee The ISA99 standards development committee brings together industrial cybersecurity experts from across the globe to develop ISA standards on industrial automation and control systems security. This original and ongoing ISA99 work is being used by the International Electrotechnical Commission in producing the multistandard IEC 62443 series. ISA Security Compliance Institute (ISCI) ISCI is an operational group within ISA's Automation Standards Compliance Insti- tute. ASCI bylaws share the open constructs of ISA, while accounting for compliance organization requirements. Operating the ISA Security Compliance Institute within ASCI allows the organization to efficiently leverage the organizational infrastructure of ASCI. ISA provides professional management services to ASCI.

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - MAY-JUN 2018