There has been an effort underway for over a year now to develop a compliance organization for control system security standards. It was started at PCSF 2006 in San Diego by Eric Byres as the Control Systems Security Foundation. After some organizational research and feasibility studies it was taken over by the ISA’s Automation Standards Compliance Institute. The funding organizations of the studies met in May to discuss the studies and how to move forward. The result . . . a potential ISA Security Compliance Institute (SCI).

The reason I say potential is it is based on getting 15 companies to fund the project at the $50,000 annual level for the next three years by September 1st. If funded, SCI will work towards having an operational certification program by June 1, 2009.

Two years away seems like a long time, but it may be too soon. There needs to be a standard or some set of requirements to test compliance against. There was not an answer to this question at the presentation, which is fair this early. However what would even be candidate standards to certify for compliance? It is doubtful SP99 Part 4 would be completed by then since the Working Group is just starting.

The SCI is talking about creating Compliance Profiles which would include certification testing plans. SCI could choose a guidance document or catalog of requirements and create sets of requirements. But isn’t this just another way of creating a standard? And do we need another standard - - or why would this organization be better or faster than other organizations, especially since the participants are likely to be the same people?

I’m not saying that SCI wants to create a new standard to test against. Rather getting a standard to test against may be the critical path, not the money.