• ISA provides technical resources and standards to help industrial automation professionals advance their careers and the field. We enable automation professionals worldwide to solve problems and enhance their skills by bringing people together to create new technologies and share best practices with future automation professionals.

    • Industry Insights

  • We attract over 140,000 unique automation professionals monthly, making us the premier online content provider and the only dedicated electronic magazine in the automation industry.

    Monthly Magazine

    • More things to read

    Back
    Back
  • M logo for Automation.com Monthly. Link to current issue.
  • Search Sponsored By:
News

How ISA and Automation Federation Leadership Helped Secure Industrial Control Systems

By: Contributing Authors
08 February, 2017
3 min read
As a result of work by ISA and the Automation Federation, IEC/ISA 62443 will play a prominent role in securing control systems for industry in the future.

This post was written by Stephen R. Huffman, vice president, marketing and business development, at Mead O’Brien, Inc.

Technical leaders had the foresight to create the ISA99 standards committee back in 2002. They recognized the need for cybersecurity standards in areas outside of the traditional information technology (IT), national security, and critical infrastructure areas of concentration at the time.

When Automation Federation (AF) refocused its efforts in 2007 with both automation profession advocacy and industrial automation and control system (IACS) cybersecurity as two of its strategic imperatives, we ventured forth to Capitol Hill with a message and a plan. We found that in general our lawmakers equated process and industrial automation as “IT” and thought that IT was already addressing cybersecurity in terms of identity theft and forensics, and that the Department of Defense was handling cyberprotection for national security.

For the next several years, AF built its story around cyberthreats in the operational technology (OT) area and how ISA99 through its series of standards, technical reports, and work group output was providing guidance for asset owners, system integrators, and control system equipment manufacturers specifically for securing IACS.

The operating philosophy of IT cybersecurity versus OT cybersecurity is quite different. Although the approach of shutting down operations, isolating cybersecurity issues, and adding patches may work well to mitigate IT breaches, the same cannot be said for operating units in a real-time process. In short, it really is not feasible to “reboot the plant.” The message resonated enough for us to help create the Liebermann-Collins Cybersecurity Senate Bill introduced in 2012, but opposition (more political than reasonable) doomed this first effort. In 2013, the President issued Executive Order 13636 for enhancing cybersecurity protection for critical infrastructure.

It included directing the National Institute of Science and Technology (NIST) to establish a framework that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs. Of the more than 200 proposals submitted by organizations receiving a request for proposal, almost all were IT-based.

Advertisement

The AF/ISA submittal took the perspective of operational technology backed by the strength of the existing ISA99 set of standards. After a set of five framework meetings of invited participants, including the AF “framework team,” over the course of 2013, the OT and IACS teams were much more successful in defining the needs, and the automation message was much better understood. NIST personnel with legislative experience with AF on the 2012 Senate bill understood that private industry is a key piece of the cybersecurity and physical security puzzle. AF organized a series of NIST framework rollout meetings in 2014 around the country with attendees from the AF team, NIST, and the White House.

The meetings were hosted by state manufacturing extension partnerships, which are state units of NIST.

After these meetings and more work with Senate lawmakers, a bipartisan Senate bill, The Cybersecurity Enhancement Act, was signed by the President and put into law in December 2014 ( www.congress.gov/bill/113th-congress/senate-bill/1353 ). In summary, the act authorizes the Secretary of Commerce through the director of NIST to facilitate and support the development of a voluntary, consensus-based, industry-led set of standards and procedures to cost effectively reduce cyberrisks to critical infrastructure. As you can imagine, ISA99, now IEC/ISA 62443, will play a more prominent role in securing the control systems of industry in the future through a public-private information-sharing partnership.

Thanks for the foresight and fortitude of the ISA99 standards committee.

ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:

About the Author

Stephen R. Huffman is vice president, marketing and business development, at Mead O’Brien, Inc. , and chairman, government relations committee, at Automation Federation. He has a 40-year history of optimizing process systems, developing new applications, and providing technical education.

He served as 2007 president of ISA. .

Connect with Stephen

LinkedIn Email

A version of this article also was published at InTech magazine

Advertisement

Trending Articles

Advertisement

Related Articles

View all Articles and News
Advertisement
Advertisement

International Society of Automation
PO Box 12277

Research Triangle Park, NC 27709

E-Mail: [email protected]

©2026 Automation.com, a subsidiary of the International Society of Automation.