Cyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.
ISO 27002 incorporates both parts of the BS 7799 standard. Sometimes ISO/IEC 27002 is referred to as BS 7799 part 1 and sometimes it refers to part 1 and part 7. BS 7799 part 1 provides an outline for cyber security policy; whereas BS 7799 part 2 provides a certification. The outline is a high level guide to cyber security. It is most beneficial for an organization to obtain a certification to be recognized as compliant with the standard. The certification once obtained lasts three years and is never checked by the BSI to ensure an organization continues to be compliant throughout that three year period. ISO 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO 27001-certified. ISO/IEC 27002 states that information security is characterized by integrity, confidentiality, and availability. The ISO/IEC 27002 standard is arranged into eleven control areas; security policy, organizing information security, asset management, human resources security, physical and environmental security, communication and operations, access controls, information systems acquisition/development/maintenance, incident handling, business continuity management, compliance.
ISA99 is the Industrial Automation and Control System Security Committee of the International Society for Automation (ISA). The committee is developing a multi-part series of standards and technical reports on the subject, several of which have been publicly released as American National Standards Institute (ANSI) documents. Work products from the ISA99 committee are also submitted to International Electrotechnical Commission (IEC) as standards and specifications in the IEC 62443 series.
Planned and published ISA99 work products for IACS Security.
All ISA99 standards and technical reports are organized into four general categories. These categories identify the primary target audience for each group (i.e., General, Asset Owner, System Integrator and Component Provider).
The first (top) category includes common or foundational information such as concepts, models and terminology. Also in this category is a work product that will describe security metrics.
The second group of work products targets at the Asset Owner and addresses various aspects of creating and maintaining an effective IACS security program.
The third include work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products.
There have been a number of changes in the ISA99 numbering scheme to align to the corresponding IEC standards. In the future all work products will be numbered using the convention “ISA-62443.xx.yy”. The previous ISA99 nomenclature will be maintained for continuity purposes.
The specific ISA99 documents are as follows:
Group 1: General
ISA-99.01.01 (formerly referred to as "Part 1") (ANSI/ISA 99.00.01) is approved and published.
ISA-TR99.01.02 is a master glossary of terms used by the committee. This document is still a working draft but the content is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Master%20Glossary.aspx)
ISA-99.01.03 identifies a set of compliance metrics for IACS security. This document is currently under development.
Group 2: Asset Owner
ISA-99.02.01 (formerly referred to as "Part 2") (ANSI/ISA 99.02.01-2009) addresses how to establish an IACS security program. This standard is approved and published. It has also been approved and published by the IEC as IEC 62443-2-1
ISA-99.02.02 addresses how to operate an IACS security program. This standard is currently under development.
ISA-TR99.02.03 is a technical report on the subject of patch management in IACS environments. This report is currently under development.
Group 3: System Integrator
ISA-TR99.03.01 ()is a technical report on the subject of suitable technologies for IACS security. This report is approved and published.
ISA-99.03.02 addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development.
ISA-99.03.03 defines detailed technical requirements for IACS security. This standard is currently under development.
Group 4: Component Provider
ISA-99.04.01 addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development.
ISA-99.04.02 series address detailed technical requirements for IACS components level. This standard is currently under development.
Finally, an additional IEC standard is shown (in green) in anticipation of this document being accepted from the WIB organization. This document is NOT a work product of the ISA99 committee.
More information about the activities and plans of the ISA99 committee is available on the committee Wiki site
ISA Security Compliance Institute
Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil & gas, chemical, electric utility, manufacturing, food & beverage and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations or even state-sponsored groups. The recent news about the industrial control system malware known as Stuxnet has heightened concerns about the vulnerability of these systems.