The ISA 99 Security Committee has been hard at work on writing Security Assurance Levels (SAL) into the ISA / IEC standard. It’s been slow going and difficult work, and may prove to be impossible for this committee.

The idea of a SAL came from many in the committee who were familiar with Safety Integrity Levels (SIL) developed by ISA 84. There are four different SIL based on probability of failure, and it is very easy for a manager to determine what SIL is appropriate for a system.

The concept of a SAL is similarly appealing because in theory it can greatly simplify a risk management and security program. For example, a manager can say the field requires SAL 4, control center SAL 3, and the DMZ SAL 2. Then the real win would be writing that into RFP’s and procuring a system that is certified to meet that level.

Unfortunately SAL is much harder than SIL because you have to deal with unpredictable threat agents as opposed to measurable failure rates. Even if we had good data on threat agents, it could change dramatically if a motivated group decided to target a company. What types of attacks do you need to assure against?

And then you have the problem of whether a SAL applies only to a component in an ICS, and how to address the composite SAL for a system or subsystem. It’s a complex and difficult issue that the committee members deserve credit for trying to slog through.

At some point though they may need to give up on this effort in the interest of getting the more useful and prescriptive parts of the ISA 99 standard out. The committee is at an interesting step back point now where they are questioning even the definition of SAL and what should represent the “A” in the acronym. Some have suggested that the A be dropped and the term Security Level be used.

An alternate approach is the ISASecure Embedded Device Security Assurance specification where they have a functional security requirements for PLC’s and other controllers that increase in rigor from Level 1 to Level 3. Then another set of requirements for Historians, HMI, EWS, Communication Servers, …

While this approach is not nearly as elegant or universal as the SAL; you could get a group of experts to agree on a mapping of functional requirements to Security Levels. It would be a bit ironic if the ISASecure, who was created to provide testing and certification to ISA99 standards, actually showed ISA 99 the way to the achieve the more technical part of the standard.

Image by Joelk75