One of the reasons I went to ISA Expo in Houston last week was to try to get a fix on what ISA 99 was up to and whether it continued to matter. Historically, ISA 99 was one of the early movers in the control system security standards and guidelines space. Their first two technical reports were so much better than anything that was published at that time and still stand up well to most of the other efforts.
Another long term positive to ISA 99 is they continue to have one of the most active group of participants working on control system security standards. Right now they are working on 14 different standards and technical reports, a daunting number. But will all this activity make a difference even if ISA 99 is successful in getting these standards out? Two new factors in recent years raise this question.
1. NERC CIP and sector specific standards – The electric sector has little interest in ISA 99 and is almost totally focused on NERC CIP compliance. The level of activity by those working and reviewing NERC CIP and those trying to meet those requirements dwarfs the work in ISA 99. Other sectors tend to look at their sector bodies for standards, oil – API, gas – AGA, railway – APTA, … So the vision I had heard at many early ISA 99 meetings that the 99 standards would be universal and used across all sectors appears highly unlikely.
2. NIST SP800-53 – The US Congress has led, and other USG parts are following, the concept that if NIST SP800-53 is good for USG computer and network security why should critical infrastructure systems be held to a lesser standard? Now I don’t agree with the ‘lesser’ part of that or to the fact that the NIST document is superior to some other efforts. The NIST document is fine, but since many sectors are well into different approaches based on different documents, it seems to be a net negative to lose that momentum and progress to switch to the SP800-53 based approach. But it seems the battle has been largely decided, kudos to JW, and sectors will be looked at much more favorably if they embrace the NIST SP800-53 document. I should note that NIST, to their credit, has not been bad-mouthing other efforts. Quite the contrary, they contribute to other efforts and develop crosswalk tables to show similar coverage.
So I arrived in Houston last week thinking whither ISA 99? And the answer surprised me.
I don’t remember the exact date, but in the past couple of years a decision was made at IEC to work in parallel with ISA 99 rather than wait to consider the ISA 99 documents when completed. In the past many ISA documents were considered for IEC standardization after they were official ISA standards. Of course this added significant delay and often led to some differences between the ISA and IEC standards.
Today the relevant IEC participants are working in conjunction with ISA 99 and contributing and reviewing the drafts at the same time. Documents will be sent to ballot in parallel. There will be one format. They will be the same. So if ISA is able to complete these documents they will have a twin ISA / IEC win from day one.
Why is this important? Well today many of the larger vendors and asset owners do business around the world. Whether NIST or NERC/ERO are good or not, they are American standards. An international company would much rather comply with one international standard rather than many national standards so something like an ISA / IEC standard is likely to be of much more interest to an Exxon, Dow, Chevron, Honeywell, ABB, …
So I left ISA Expo quite surprised at my feeling that ISA 99 may be more relevant than ever. Just more so to the international / multinational community than any strictly US play. That said, the clock is definitely ticking. If these standards don’t get to a close to finished state where people can begin using them soon, they could easily be superceded by something else.
Final note – I have an interview with ISA 99 co-chair Eric Cosman that will be available soon in a podcast.