ISA Director: Oil & Gas facilities must take action now to protect against cyberattack

Summary

February 20, 2017 -- Patrick J. Gouhin, Executive Director and CEO of the International Society of Automation (ISA), speaking at a Bloomberg LIVE conference in Houston, Texas on the future of cybersecurity in the US oil and gas sector, urged energy executives to take action now to protect their facilities and operations from cyberattack.

“Given the increasing number of cyberattacks on oil and gas facilities, the importance of these facilities to the economy and national security, and the fact that there are effective cybersecurity standards for the energy industry available today, the time to act is now—not years in the future,” emphasized Gouhin, before an audience of approximately 100 senior technology executives and government officials.

Gouhin participated in a panel session that examined: the need for solutions that can both prevent a cyberattack from occurring and mitigate the damage if one does occur; and the future of cybersecurity strategies and defenses in the oil and gas industry given the absence of mandated standards and regulations. 

Gouhin pointed to ISA’s series of industrial automation and control system (IACS) security standards— adopted internationally as ISA/IEC 62443—as a flexible framework for preventing and limiting potentially devastating cyber damage to the industrial systems and networks used in oil and gas facilities and other critical infrastructure.

Developed by leading international cybersecurity experts from industry, government and academia, ISA/IEC 62443 addresses industrial cybersecurity vulnerabilities across all key industry sectors and is regarded as the world’s only consensus-based series of IACS security standards.

IACS, such as supervisory control and data acquisition systems (SCADA), are relied upon to monitor and control the operation of industrial machinery and associated devices. Because most IACS are not designed to ensure resilience against cyberwarfare, an IACS cyberattack can impair and disable safe operations of industrial facilities. The consequences—which can include plant shutdowns, widespread power blackouts, explosions, chemical leaks and more—can place national and economic security as well as lives, personal safety and the environment at risk.

ISA/IEC 62443 enables owners and operators of critical infrastructure to achieve and maintain IACS security improvements through a lifecycle that integrates design, implementation, monitoring and continuous improvement.

ISA’s expertise in industrial cybersecurity standards has been honed through experience. Gouhin pointed out that ISA has been developing industry standards for more than 67 years, with 150 different standards in its portfolio, representing the knowledge of more than 4,000 industry experts worldwide.

He explained that while the US does not legally require implementation of industrial cybersecurity standards and best practices, the government has developed a voluntary plan to follow. The plan, known as the US Cybersecurity Framework, serves as a how-to guide for American industry and operators and owners of critical infrastructure to strengthen their cyber defenses.

Representatives of both ISA and its affiliate, the Automation Federation, served as expert consultants to the National Institute of Standards and Technology (NIST)—an agency of the US Department of Commerce—as it coordinated the development of the framework. The ISA/IEC 62443 series of IACS security standards are key components of the framework recommendations, which were made public in early 2014.

ISA’s leadership in industrial cybersecurity also prompted the US Army National Guard to select ISA as an industry partner. Last year, ISA provided control systems security training at the National Guard’s Cyber Shield 2016 exercise at Camp Atterbury, Indiana. More than 900 soldiers, airmen, Marines, sailors and civilians representing 47 states and territories participated at the event to assess their skills in responding to cyber-incidents on the National Guard computer network.

Furthermore, the Automation Federation is the host organization for the LOGIIC (Linking Oil and Gas Industry to Improve Cybersecurity) Program, an ongoing collaboration of major oil and natural gas companies and the US Department of Homeland Security, Science and Technology Directorate. LOGIIC undertakes collaborative research and development projects to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector.

ISA has leveraged ISA/IEC 62443 to develop industrial cybersecurity training courses, certificate programs and conformance certification ISA has harnessed the ISA/IEC 62443 standards to develop a comprehensive set of industrial cybersecurity training courses and aligned certificate programs—covering the complete lifecycle of IACS assessment, design, implementation, operations and maintenance.

ISA’s suite of industrial cybersecurity courses include:

• Introduction to Industrial Automation Security and the ISA/IEC 62443 Standards (IC32C)
• Using the ISA/IEC 62443 Standards to Secure Your Control Systems (IC32)
• Using the ISA/IEC 62443 Standard to Secure Your Control Systems (IC32E - Online Version)
• Assessing the Cybersecurity of New or Existing IACS Systems (IC33)
• IACS Cybersecurity Design & Implementation (IC34)
• IACS Cybersecurity Operations & Maintenance (IC37)

ISA cybersecurity certificate programs are awarded to those who successfully complete the requirements of ISA’s related cybersecurity courses. Individuals who complete all four ISA certificate programs earn the designation of ISA/IEC 62443 Cybersecurity Expert. For more details on the four certificate programs and their aligned courses, visit www.isa.org/CYBERcertificate.

In addition, ISA has developed a certification program—ISASecure—that ensures that control systems conform to relevant ISA/IEC 62443 cybersecurity standards and apply to the security lifecycle concept that forms the basis of the standards.

Asset owners and integrators that include the ISASecure designation as a procurement requirement for control systems projects have confidence that the selected products are robust against network attacks and free from known vulnerabilities.

About ISA The International Society of Automation is a nonprofit professional association that sets the standard for those who apply engineering and technology to improve the management, safety, and cybersecurity of modern automation and control systems used across industry and critical infrastructure. Founded in 1945, ISA develops widely used global standards; certifies industry professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members and 400,000 customers around the world. 

ISA owns Automation.com, a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation, an association of non-profit organizations serving as “The Voice of Automation.” Through a wholly owned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Instituteand the ISA Wireless Compliance Institute