For chemical operators overall, Kaun emphasizes two basic vulnerabilities that must be tackled to improve cyber security: awareness and enforcement.
In early March, the International Society of Automation (ISA), Reseach Triangle Park, NC, announced that its ISA99 standards committee on industrial automation and control systems security has formed a group to conduct a gap analysis of the current ANSI/ISA99 standards with respect to the rapidly evolving threat landscape.
The purpose is to determine if companies following the ISA99 standards would have been protected from such sophisticated attacks and to identify needed changes, if any, to the standards being developed by the committee. A technical report summarizing the results of the group's analysis may come out by mid-2011.
Last November, the International Instrument Users' Association, The Hague, The Netherlands, launched Version 2 of its "Process Control Domain Security Requirements for Vendors," which it calls the first international standard that outlines a set of specific stipulations focusing on cyber-security best practices for suppliers of industrial automation and control systems.
Led by major companies such as BP, Dow, DuPont, Saudi Aramco and Shell, dozens of other end-users, as well as leading vendors such as Invensys and multiple government agencies, the group spent two years developing and piloting the program that culminated in Version 2.
"Not only do the requirements provide current-state measures, they allow us to continue to improve and adapt to the ever-changing security landscape. From our perspective, this program is a major shift, not only focusing on tactics, but one that puts into place strategic elements that address operational change," says Ernie Rakaczky, portfolio program manager control systems -- cyber security for Invensys Operations Management, Dollard-des-Ormeaux, QC.
"This document provides the common language we need to communicate our expectations around security to our suppliers and the framework to work together to help improve the overall security posture for our critical systems," adds Peter Kwaspen, strategy and development manager, EMEA control and automation systems at Shell Projects & Technology, The Hague, The Netherlands.
"We've now come to a truly functional cyber-security standard based on the needs of end-users and it is now up to us, the end-user, to take advantage of this effort and insist that our vendors are certified," stresses Jos Menting, cyber-security advisor with GDF Suez Group, Paris.
Seán Ottewell is Chemical Processing's Editor at Large. You can e-mail him at firstname.lastname@example.org.