Our last post was on the NERC Cyber Assessment Task Force. Although this is a distraction from the NERC CIP next version, it makes sense for NERC to look at how to detect and isolate an attack on a large segment of the bulk electric system. I’m sure it is just a coincidence with NERC, but now ISA has a Stuxnet inspired Cyber Threat Gap Analysis Task Group. The task group will:

conduct a gap analysis of the current ANSI/ISA99 standards with respect to the rapidly evolving threat landscape, as demonstrated by the highly publicized Stuxnet malware. The purpose is to determine if companies following the ISA99 standards would have been protected from such sophisticated attacks and to identify changes needed, if any, to the standards being developed by the ISA99 committee. The new task group intends to produce a technical report summarizing the results of its analysis by mid-2011.

Didn’t ISA99 have enough to do already? Beyond all the various parts and subparts that are in process, they have coordination with the ISA wireless and safety groups. There is already a severe manpower shortage to accomplish the work in a timely manner.

ISA99 Part 4, Technical Requirements for Industrial Automation and Control Systems, is very a much a work in progress with even the basic approach under serious debate. It is the hardest part of the standard, not guideline but a must/shall standard, to write by far. There were a number of emails talking about how to define Security Assurance Levels and associated technical controls last week in advance of a face-to-face meeting. Again this is very hard territory, and the Working Group deserves credit for fighting through these difficulties.

Here’s the question: how will the new Task Group determine if unwritten technical controls would have stopped Stuxnet? There are some elements of a security program in Part 2 that could be considered, but even those will require significant interpretation to draw conclusions. Unfortunately ISA99 is not ready for this task group.

We are as guilty as anyone in covering Stuxnet in detail, but ISA99 would be better served by focusing and finishing their existing work plan in the next two years.