Bryan Singer, the chairman of SP-99, put out a concise and informative update on the committees control system security efforts. I have copied it below with his permission.

Working Group 1: ISA TR-99.00.01 (Technical Report 1) Technologies for Industrial Automation and Controls Security - Largely due to significant editorial and substantive contributions from Idaho National Labs writers, led by Bob Evans, and Working Group 1 members, a significant update to this technical report is in the stages of being prepared for vote.  It has been released to the Working Group 1 for comment, and will be released to general committee for vote as soon as comments are satisfactorily addressed.

Working Group 3:  ISA-99.00.01 (Part 1) - Concepts, Models, and
Terminology:  This document, while it received enough votes to pass on the first round, had enough comments to warrant another review cycle.  That review cycle is complete, and the next version of this report is due out for committee vote any day now.  Many thanks go out to the Working Group 3 members and all those that provided comments, editorial assistance, and content.  We are hopeful that this document will be finalized in the next few months.

Working Gorup 2:  ISA-99.00.02 (Part 2) -Establishing an Industrial Automation and Control Systems Security Program: Hot on the heels of Part 1, Part 2 is due out for its next vote in the next couple of months.  Again, thanks go out to all the committee members that have worked to see this document towards completion.

At a bare minimum, it is expected that TR-1, Part 1, and Part 2 will all be finished in 2007.  These cover not only technological aspects, but also the policy, procedure, definition, and guidance for creating and operating a security program.

Working Group 4:  ISA-99.00.04 (Part 4) - Newly formed, this committee is in its formative stage, and is working on several key topics including security levels for controls, technical evaluation procedures for security requirements, and a number of other key activities.  Ultimately, it is the objective of this group to create a standard aimed at evaluating and measuring controls in an automation environment to ensure that the desired level of security is attained and maintained.  One of the important tasks this group is working on is to create an approach document that will outline how end users would approach security in respect to all four planned parts of the standard.  We expect some content to be released in 2007 with the standard available some time after that.

For those that are curious, the Part 3 activity will be a follow on activity to Part 2, and will start once it is complete.  Part 3 seeks to determine operational and metric based metrics to ensure that the activities of a security program are operating at desired levels and achieving desired results.