ISAGCA Responds to NIST Call for Standards to Fulfill Executive Order 14028

Summary

International Society of Automation Global Cybersecurity Alliance (ISAGCA) filed comments in response to a virtual workshop hosted by the National Institute of Standards and Technology (NIST) on 2–3 June 2021. The purpose of the workshop was to enhance the security of the software supply chain and to fulfill President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued on May 12, 2021.

Among other things, section 4 of that executive order (EO) directs the U.S. Secretary of Commerce, through NIST, to consult with federal agencies, the private sector, academia, and other stakeholders in identifying standards, tools, best practices, and other guidelines to enhance software supply chain security. Those standards and guidelines will be used by other agencies to direct the federal government’s procurement of software. The workshop focused on assignments in section 4 of the EO.

The goals of the workshop were to: share NIST’s plans to develop software-related standards and guidelines called for by the executive order; and receive and discuss information and ideas about the approach and content NIST should consider in developing those standards and guidelines.

NIST requested position statements in five areas: 

1. Criteria for designating “critical software.” 

2. Initial list of secure software development life-cycle standards, best practices, and other guidelines acceptable for the development of software for purchase by the federal government.

3. Guidelines outlining security measures to be applied to the federal government’s use of critical software. 

4. Initial minimum requirements for testing software source code.

5. Guidelines for software integrity chains and provenance.

“ISAGCA member companies have a long history of adopting a standards-based approach for securing automation products and operating sites based on the ISA/IEC 62443 series of international cybersecurity standards. The scope of ISA/IEC 62443 standards applies to critical software in all phases of the automation solution life cycle,” said Andre Ristaino, managing director of ISAGCA. The NIST Cybersecurity Framework (CSF) includes several key standards as informative references. Table 1 shows where the ISA/IEC 62443 standards align with the NIST CSF requirements.

In its response to NIST, ISAGCA asked that several additions be considered, such as referencing selected parts of the ISA/IEC 62443 standard when defining “critical software to the executive order,” “product security development life-cycle requirements,” and “technical security requirements” for automation components as standards to secure software for operational technologies (OT).

ISAGCA justified the “critical software” request stating the standard proposes “to define commands and essential functions, including parameters and associated data that must be properly protected either by built-in technical capabilities (ISA/IEC 62443-4-2), integrated system capabilities (ISA/IEC 62443-3-3), and/or procedural/organizational capabilities.”

ISAGCA further requested that ISA/IEC 62443 4-1: Product Security Development Life-Cycle Requirements be referenced as a standard to secure the software development life cycle for OT.

To comply with NIST’s security measures request, ISAGCA requested that ISA/IEC 62443 4-2: Technical Security Requirements for Automation Components be referenced as a standard to ensure software security capabilities for OT components.

ISAGCA requested ISA/IEC 62443 4-1: Product Security Development Life-Cycle Requirements (Section 9) be referenced to define the minimum requirements for testing software source code. ISA/IEC 62443 4-1, Security Requirements for Externally Provided Components requires software product development organizations to have a process to identify and manage security risks of these components used within the product.

ISA and its members have been ardent supporters of the NIST cybersecurity framework and contributed to the development of both NIST CSF in 2014 and the ISA/IEC 62443 standard. Product suppliers have been developing automation products using ISA/IEC 62443 security life-cycle practices in their development processes since 2010. 

Companies are having their development processes and products independently audited and certified to conform to ISA/IEC 62443 via accredited certification bodies in the U.S. and around the globe. Company examples include ABB, Aveva, Azbil, Bayshore Networks, Carrier Corp., CISCO, Eaton, Emerson Automation Solutions, Emerson Power & Water Solutions, GE Power Conversion, Hima, Hitachi, Honeywell, Johnson Controls, Nexus Controls, Rockwell Automation, Schneider Electric, Siemens, Toshiba, Yokogawa, Valmet and Wartsila.

This article was originally published in InTech's July/August issue.