ISA99 Working Group 4 completes its three day working session today in West Palm Beach, FL. I attended some of the sessions Tuesday and Wednesday despite my earlier blog on ROI of standards efforts. It was just too close to pass up an opportunity to get an update and see some friends.

For those new to ISA99, Working Group 4 is writing Part 4 of the standard. Part 4 covers the technical requirements and will be the most specific and normative of the standard. Part 4 will be a set of requirements that vendors and asset owners will be able to test against. I have updated the SCADApedia with current detail on ISA99.

First the good news, and there is a lot of good news. An impressive amount of progress has been made in 2008. It has gone from a sputtering effort in 2007 to a document with substantial useful technical detail.

The Foundational Requirements section is an excellent resource today. It takes the seven Foundational Requirements in Part 1, adds more detailed / individual requirements under each of these seven, and uses a format very similar to SP800-53. In fact there is a mapping of each detailed Foundational Requirement to SP800-53 to verify the technical controls have the appropriate coverage.

There may be one or more enhancements to the individual requirements, and these enhancements are mapped to the four Security Assurance Levels [SAL's] as appropriate. For example, FR1.2 Account Management is mapped to SP800-53 AC-2. FR1.2 had four enhancements. The basic FR1.2 requirement applies to SAL1 - SAL4, but the four enhancements only apply to SAL2, SAL3, and SAL4.

We have been looking for a good categorization scheme for the audit checks in Bandolier, and so far the ISA99 Foundational Requirements are the best we have found.

There has also been progress in the Zones and Conduits area as well as something they are calling Derived Requirements. Derived Requirements are derived from the Foundational Requirements and will be more specific to support compliance testing.

Speaking of compliance testing, the ISA Security Compliance Institute [ISCI] gave a presentation yesterday at the meeting. They have also made significant progress getting organized and moving towards compliance testing for an ISASecure designation. They are working on a roadmap for certification efforts, but it looks like testing network stacks will be the first certification. While Mu and Wurldtech where not mentioned specifically, ISCI will be soliciting submissions for test specifications in this area from two or three vendors so you can make your own assumptions.

Now for the bad news and a warning flag.

The bad news is Part 4 is still not near completion [and work on Part 3 has not begun]. It is becoming a large complex document, as expected and probably needed. It is hard work. It would be a significant accomplishment if it was complete and approved in 2009, and 2010 is probably a more realistic estimate. My advice would be to not wait until the final document is approved or even balloted. There are useful sections today and more coming in the future.

The warning flag is on the ISA99 / ISCI relationship, and it probably applies to ISA100 / IWCI relationship. The ICSI is a pay to play organization, where organizations have more influence to some degree based on how much they pay. They will be developing intellectual property in the form of test specifications and test reports as well as brands such as ISASecure. What they do with this IP is up to vote of the pay to play members who pay enough to vote. ISA intentionally set up ASCI/ISCI to be a separate organization under a different set of rules.

It is important for a variety of reasons that ISCI not be allowed to dictate what ISA99 does. ISCI has stated that they plan to use the Part 4 to create test specifications. Great, but they are one of many consumers of the standard. They should be at the table to voice concerns, make recommendations and contribute to the standard. I’m sure the WG will listen, just as they would to representatives from Dupont, Kraft or NIST. What is dangerous is if ISCI is allowed to drive the timetable, format or even goals of the document. ISA99 was viewed to be a potentially valuable document to asset owners, vendors and others in the community prior to ISCI existence.

We still have no idea if ISCI will be successful. It is a new organization. Will they be able to develop test specification? Will vendors submit products for certification testing? Will the business model prove to be viable? It would be regrettable if Part 4 was tailored for ISCI and ISCI failed. There are many examples where an ISCI friendly approach may not be best for other parts of the community. The most basic may be how tailored the document is to vendors [who ISCI is likely to certify] or asset owners.

There is also the intellectual property issue and availability of worthwhile results of ISA99 volunteer efforts. If ISA99 says we will let ISCI handle that, it has serious ramifications to the community. They now will need to pay to play at ISCI to get the benefits. In a worse case scenario, which I don’t expect, ISA99 could do all the baking and ISCI could add the frosting required for the end product to be of value. I understand at the ISA100 meeting in China there was concern about the number of sections and tasks being passed to the WSCI and some were pulled back.

I’m certain that to date everything done in the ISA99/ISCI relationship has been done with the best of intentions. Really. There has been no evidence of anything nefarious or even any bad intent. It is simply the prominence of ISCI in discussions and the implied linkage that has me seeing flashing warning lights. If ISCI and other SCI’s are going to be independent, pay to play organizations they cannot be treated differently than any other participant in the process or consumer of the standard. In fact, in these potential conflict of interest cases extra care is usually taken to avoid even the perception of conflict of interest.