I don’t know about you, but I have always had a hard time keeping all the different IEC SCADA Security efforts straight. Well Tom Phinney of Honeywell sent out a cogent and concise description in a recent email, see below.

The IEC TC65 technical committee is chartered to produce standards in the area of industrial process-measurement and control. In terms of industries, this covers hydrocarbon extraction (e.g., wellheads) and processing (e.g., refining), chemical plants, pharmaceutical plants, pulp and paper mills, and related areas such as the power generation component of the electrical system (up to the output transmission lines and intertie). IEC TC65/WG10 covers network and system security for these industries.

Another IEC technical committee, TC57, covers transmission and distribution of electric power, and typically also gas, oil and water pipelines. Cybersecurity for those is served primarily by IEC TC57/WG15 under Frances Cleveland’s leadership.

IEC TC65/WG10 currently is working on a draft standard that will be known as IEC 62443, which has been attempting to address areas of external ingress into industrial automation systems (e.g., from the Internet or the parent corporation’s intranet), areas of potential internal compromise (e.g., ’sneakernet’ via a USB flash drive) and protection of the distributed communications within such plants (e.g., fieldbuses). The editor for IEC 62443 is Dr. Hans Daniel, recently retired from the German national security agency BSI. Before his years at BSI, Hans worked in the States and Europe for a number of US semiconductor manufacturers. He has good English skills. Until his retirement, he was also BSI’s representative to ISO/IEC JTC1 SC27, the standards subcommittee responsible for the international version of the Common Criteria, ISO/IEC 17799, various standards on cryptography and its application, etc.

During the last year there has been an attempt to refocus IEC 62443 from its original goal of producing a “best practices” document, that really would have been more appropriately characterized as “good cybersecurity practices for industrial automation circa 2005″, to a goal of providing an integrated process and product assurance framework for automation plants, covering the design, acquisition, integration, operation and maintenance phases of those plants, and the design, development and maintenance phases of products used in such plants. This refocused document necessarily is only a framework that must reference other de facto and de jure standards, including those being developed in SP99. IEC 62443 also is planned to include a continuing process component for threat-risk-assessment, to drive the other assurance processes.

Thanks Tom!