I’m just back from the first face-to-face meeting of Working Group 4’s effort to write ISA SP99 Part 4. Part 4 will contain normative requirements for technical security measures in control system devices, sub-systems and systems. This means that vendors, integrators and asset owners will be able to verify or audit compliance with SP 99 Part 4.
I don’t think it is appropriate to give detailed comments on the discussions in these meetings because it might hinder conversations and openness. However, I wouldn’t say that writing standards is like the overused simile of watching sausage being made; it is not ugly or distasteful to watch. Having an enthusiastic foodie as a wife, I’d say writing standards is more like watching puff pastry being made. It takes a long time, has a lot of repetition, and is very tedious but requires attention to detail.
The groundwork for Part 4 was laid out in the zones, conduits and security levels defined in Part 1. Part 4 will detail the technical requirements for zones at each security level.
One of the common discussions that I imagine the working group will have many times is what belongs in Part 3 (administrative controls) and what belongs in Part 4 (technical controls), although we avoid using the word controls or security controls in the documents to avoid confusion. For example does a requirement of deploying a least privilege ruleset in a perimeter security device belong in Part 3 or Part 4?
There is still plenty of time to get involved in Part 4.