UPDATE: The 12-page Call for Input document is now posted. It definitely answers the intellectual property question, but will anyone bite on giving away useful IP?

2. The participant identifies any holders of copyright interests in the contribution, and affirms that the copyright holder grants to ASCI a perpetual, irrevocable, non-exclusive, royalty-free, worldwide license to include the contribution and derivative works within any document arising from the work of the Institute.

3. If the resulting candidate specification(s) may require the use of a patented invention, the participant identifies any holders of patent(s) or patent interests in the contribution, and affirms that the patent holder agrees to comply with policies contained in the ASCI Patent Policy. The participant or patent holder must provide ASCI with either: a general disclaimer to the effect that such party does not hold and does not presently anticipate holding any invention the use of which would be required for compliance with the proposed specification or a written assurance that either: (a) a license will be made available without compensation to applicants desiring to utilize the license for the purpose of implementing the specification, or (b) a license will be made available to applicants royalty free, that are demonstrably free of any unfair discrimination.

Interesting that they adopted the Level 1 and Protocol certifications levels that we worked with Wurldtech to structure as part of their Achilles Certification.

Finally, it seems like a very aggressive timetable. Intention to submit input must be made by August 15th and input is due by the 31st during a vacation heavy month. 1st draft Embedded Controller SA conformance specification by September 30th.

—–
The ISA Security Compliance Institute [ISCI] announced a Call for Input to their Embedded Controller SA conformance specification on the SP99 list last week. We will link to it when it is up on the ISA site.

At the last ISA99 meeting in West Palm Beach, I raised some red flags about a pay to play organization dictating an ISA standard’s structure and schedule. Well this Call for Input is another red flag. Why would any non-ISCI member want to contribute to this effort?

It costs at least $5,000 a year to even participate in an ISCI technical meeting, and the price goes up based on company size. Would you contribute to an unproven, fledgling effort that then makes you pay to even get in the room to work on the specification?

Who owns the intellectual property [IP] of the contributions? ASCI/ISCI has made a point in presentations that the test specifications and certification programs they will develop have value and are ISCI’s IP. And this is wise because creating effective test specs and programs is difficult. But how can ISCI take another company’s input and say they own the resulting IP? I would be amazed if the two prominent vendors in this space, Mu and Wurldtech, would hand over their IP. [FD: Wurldtech is a current advertiser and past Digital Bond consulting client].

As the ISA>ACSI>ISCI efforts have rolled out it appears to me they made two fundamental mistakes.

1. Perhaps the fatal mistake was they started too early. If ISA99 or some other control system security standard that had testable requirements was available they could apply resources to build a test spec and certification program. We are not close to this so now ISCI needs to develop a set of ISCI proprietary requirements and the test spec.

2. ISA viewed this as a significant new revenue source - - my speculation. It is one thing to raise money to cover efforts, but the pay to play aspect is another. First, why did they need all that money? They have not hired a team to write test specs; they are relying on volunteers from member companies. If I’m a member seeing year two dues coming up I’m asking some hard questions.

Also, how would it be viewed if Mu or Wurldtech or Digital Bond or Industrial Defender said everyone contribute non-trivial upfront money to our commercial effort. Not only do we own the IP, but the efforts and results from your benevolent contribution will not be available to the control system community unless they pay up. Admittedly I’m biased as part of a commercial entity, but I’m continually amazed at how non-profit organizations, labs and academia are considered pure when in fact they are equally greedy and ‘commercial’ as everyone else. Nothing wrong with their motives but the illusion of purity . . .