There’s clearly a sense of combativeness building on the part of cyber security leaders, teams, and organizations worldwide. Weary of seeing cyber criminals and other bad actors break into networks and systems seemingly at will to steal sensitive data, they are taking steps to bolster the overall effectiveness of security programs.
One of the latest such endeavors is a new Global Cybersecurity Alliance launched by the International Society of Automation (ISA), developer of the ANSI/ISA 62443 series of automation and control systems cyber security standards adopted by the International Electrotechnical Commission and endorsed by the United Nations.
“Cyber security threats and vulnerabilities are clear and present dangers to our facilities, our processes, and the safety of our communities,” ISA said in announcing the initiative. “In today’s connected world, every digital device is a potential vulnerability point.”
Recent attacks on safety systems in multiple industries have proven that threat actors have the ability and motivation to cause significant physical damage and put lives at risk, the organization said.
Governments around the world are becoming increasingly concerned about the impact of cyber security vulnerabilities, ISA said, especially when it comes to critical infrastructure applications. Regulatory activity is underway, and experienced technical experts need to weigh in on how those regulations are crafted and implemented, it said. “We can't approach this unilaterally; we can only approach it together,” ISA said.
The society said the alliance will be an open, collaborative forum to advance cyber security awareness, readiness, and knowledge sharing. It will bring together a global group of stakeholders, including end-user companies, control system vendors, IT and operational technology infrastructure providers, system integrators, and others.
A variety of industrial sectors such as manufacturing, commercial real estate, and critical infrastructure providers need to explore new ways to better prevent, mitigate, and respond to catastrophic threats and attacks on their critical assets, operations, and applications, the group said.
“Several leading automation and other technology providers have engaged ISA to explore how they can work with us to proactively increase awareness and adoption of cyber security best practices, standards, and compliance in all relevant sectors,” said Mary Ramsey, ISA executive director. “As an independent, non-profit organization dedicated to improving operational excellence, ISA is uniquely able to fulfill the need for open, collaborative discussions and knowledge sharing.”
Among its defined goals, the Global Cybersecurity Alliance will work to “proliferate adoption of and compliance with global standards.” The acceleration and expansion of standards will help address technology-related gaps in cyber security and set best practices for managing processes within an open architecture, the organization said.
The alliance will also create certification and education programs for industry professionals; drive advocacy and thought leadership; and facilitate new levels of knowledge sharing among its membership. Member companies will identify and prioritize initiatives, to ensure that the alliance’s approach is multi-faceted.
The cyber security threat landscape is becoming more complex, with more direct attacks on IT, control systems, and operational technology infrastructure, noted Larry O’Brien, vice president of research at research and advisory firm ARC Advisory Group.
“Frequently backed by hostile nation-states, malevolent actors are becoming more sophisticated at targeting specific aspects of industrial control systems that have the potential to wreak havoc in the physical world, such as process safety systems,” O’Brien said. “Standards and frameworks are valuable, but end users also need the resources to take the guidance provided by standards and put it into practice in real-world plant” and operational technology environments.
ISA emphasized that there needs to a concerted, comprehensive effort to fight back against bad actors. “We are at a crossroads in our fight against cyber security vulnerabilities and attacks,” it said. “It’s no longer enough to assess risk and adjust our internal processes behind closed doors. It’s time to bring your expertise to the table.”
The 62443 series of standards is a consensus-based cyber security model for automation and control system applications. The standards codify many years of operational technology and Internet of Things (IoT) security subject matter expertise.
They define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices. “The series approaches the cyber security challenge in a holistic way,” bridging the gap between operations and IT, and between process safety and cyber security, ISA said.
Founding members of the alliance will establish priorities, ISA said, but initiatives will include expanding the development and use of industry standards, creating education and certification programs, and advocating for cyber security awareness and sensible approaches with world governments and regulatory bodies.