ISA99 Part 2
From SCADApedia
Contents |
Part 2: Establishing an Industrial Automation and Control System Security Program
ISA's four part security standard, ISA99, covers the administrative and technical controls for Industrial Automation and Control Systems (IACS), their acronym for SCADA, DCS and other control systems. ISA envisions this standard being using across vertical sectors and certainly more broadly than the manufacturing sector.
Part 1 defined the terms, concepts and models. Part 2 uses those definitions and specifies the elements required to establish an IACS security program. It specifies what should be in the program and provides guidance on how the program elements should be established for for IACS.
Part 3, which has not been started, will then specify how the security program established in accord with Part 2 is implemented and maintained over time.
Part 2 will supersede ISA99 Technical Report 2 (TR2) Integrating Electronic Security into the Manufacturing and Control Systems Environment. While Technical Report 1, Security Technologies for Industrial Automation and Control Systems, will be maintained, TR2 will be retired once ISA99 Part 2 is approved and issued as a standard.
Part 2 Structure
Part 2 identifies 19 Elements that shall be part of a compliant Cyber Security Management System. Business Continuity Plan, Personnel Security, and Information and Document Management are examples of Elements in Part 2. These 19 Elements are divided into three categories.
- Risk Analysis (2 Elements)
- Addressing Risk with a Cyber Security Management System (15 Elements)
- Monitoring and Improving the Cyber Security Management System (2 Elements)
Part 2 includes the Element security objective, an Element description, a rationale for including the Element in the standard, and the requirements for that Element. For example the requirements for the Personnel Security Element are:
- Establish a personnel security policy
- Screen personnel initially
- Screen personnel on an ongoing basis
- Address security responsibilities
- Document and communicate security expectations and responsibilities
- State cyber security terms and conditions of employment clearly
- Segregate duties for sensitive transactions
Each requirement has an explanatory sentence or two in a table. The requirements for the 19 Elements provide a list of what an asset owner shall do to create a Part II compliant Cyber Security Management System.
Approximately 100 pages of guidance on how to implement each Element in a Cyber Security Management System is listed in Annex A. The guidance is divided into baseline practices and additional practices for each Element.
Status
A draft received the required number of votes to pass, but the committee decided to address comments and reballot. Another ballot is expected in July 2008.
