ISA99 is one of the oldest and prolific control system security standards groups. They published the first quality technical reports on the topic, and have an ambitious 14 document work plan depicted at the bottom of the post. The working groups are gaining members and slogging through the tough work of writing consensus security standards.
It all sounds good, but … the ISA parent organization seems to be crumbling around them. Walt Boyes has chronicled this best in his blog, and we have a few blog entries on the demise of ISA Expo, membership problems, outsourcing of their InTech trade magazine and other signs of doom. What is the future of ISA99 if ISA loses its relevance?
It looks a bit grim until the recent coordinated efforts of ISA99 and IEC 62443 are considered. IEC 62443 decided rather than work on their own separate standards efforts, they would contribute to the ISA99 effort and the resulting standards would be jointly issued by ISA and IEC.
While this adds a tremendous amount of process complexity, the resulting standards are much more valuable. Even though ISA is “international” it never had the reputation or impact that IEC does in Europe, Asia and the rest of the world. When we say NIST in Asia it is met with skepticism, not so for IEC. Outside of regulatory security standards that force compliance, it is hard to consider any other standards body that has the impact of IEC.
I talked with Eric Cosman, ISA99 co-chair, about the ISA/IEC coordination, and he said:
We have worked hard to establish a liaison relationship with IEC that will allow our work products to also be submitted as drafts in the IEC 62443 series. This approach not only allows us to reach a broader international audience, but it will also hopefully signal that our documents are not intended to be “just” ISA standards, but IEC as well. We have not yet reached the point where our processes allow simultaneous release via both ISA and IEC, but the gaps is definitely closing. I am not sure that all of our stakeholders are aware that for every item on the ISA99 work plan there is a corresponding item in the IEC 62443 series, as shown on the page http://isa99.isa.org/ISA99%20Wiki/Work%20Products.aspx. We have completed one work plan with IEC TC 65, have submitted a second and will eventually submit a third and final one that will cover the remaining wok products. The IEC work plans each span a two year period.
When the IEC 62443/ISA99 coordination effort began it was to pool the limited standards development people resources in this space and to speed the development process along. This may not happen because of the difficulty of complying with both ISA and IEC rules. The somewhat unexpected side benefit of making ISA99 work product relevant as ISA fades in prominence makes all the extra bureaucratic work worthwhile.