Cyber Security Standards - ISA-99

ISA-99

ISA99 is the Industrial Automation and Control System Security Committee of the International Society for Automation (ISA). The committee is developing a multi-part series of standards and technical reports on the subject, several of which have been publicly released as American National Standards Institute (ANSI) documents. Work products from the ISA99 committee are also submitted to International Electrotechnical Commission (IEC) as standards and specifications in the IEC 62443 series.

All ISA99 standards and technical reports are organized into four general categories. These categories identify the primary target audience for each group (i.e., General, Asset Owner, System Integrator and Component Provider).

1. The first (top) category includes common or foundational information such as concepts, models and terminology. Also in this category is a work product that will describe security metrics.
2. The second group of work products targets at the Asset Owner and addresses various aspects of creating and maintaining an effective IACS security program.
3. The third include work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
4. The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products.

There have been a number of changes in the ISA99 numbering scheme to align to the corresponding IEC standards. In the future all work products will be numbered using the convention “ISA-62443.xx.yy”. The previous ISA99 nomenclature will be maintained for continuity purposes.

The specific ISA99 documents are as follows:

• Group 1: General
  • ISA-99.01.01 (formerly referred to as "Part 1") (ANSI/ISA 99.00.01) is approved and published.
  • ISA-TR99.01.02 is a master glossary of terms used by the committee. This document is still a working draft but the content is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Master%20Glossary.aspx)
  • ISA-99.01.03 identifies a set of compliance metrics for IACS security. This document is currently under development.
• Group 2: Asset Owner
  • ISA-99.02.01 (formerly referred to as "Part 2") (ANSI/ISA 99.02.01-2009) addresses how to establish an IACS security program. This standard is approved and published. It has also been approved and published by the IEC as IEC 62443-2-1
  • ISA-99.02.02 addresses how to operate an IACS security program. This standard is currently under development.
  • ISA-TR99.02.03 is a technical report on the subject of patch management in IACS environments. This report is currently under development.(Work Group 6 - Patch Management in the IACS Environment)
• Group 3: System Integrator
  • ISA-TR99.03.01 is a technical report on the subject of suitable technologies for IACS security. This report is approved and published.
  • ISA-99.03.02 addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development.
  • ISA-99.03.03 defines detailed technical requirements for IACS security. This standard is currently under development.
• Group 4: Component Provider
  • ISA-99.04.01 addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development.
  • ISA-99.04.02 series address detailed technical requirements for IACS components level. This standard is currently under development.

Finally, an additional IEC standard is shown (in green) in anticipation of this document being accepted from the WIB organization. This document is NOT a work product of the ISA99 committee.

More information about the activities and plans of the ISA99 committee is available on the committee Wiki site