Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
March 10, 2023
Changes lie ahead for the regulatory side of operational technology (OT) in the form of ISA-TR84.00.09-2023 (Edition 3). Are you prepared?
Regulations are nothing new for utility or oil and gas companies, but for organizations in other industries these regulations could mean they need to prepare for important cybersecurity changes. Recently, the ISA-TR84.00.09-2023 draft report was made available for review and comments, and it makes notable changes to the functional safety lifecycle via cybersecurity additions.
The draft ISA-TR84.00.09-2023 report can be found here.
To understand the history of industrial cybersecurity, we need to revisit the history of industrial safety standards.
ISA stood for the Instrument Society of America when it was first founded in 1945, and it was later changed to the International Society of Automation in 2008. This change was a move to gain recognition in Europe because of the adoption of the competing International Electrotechnical Commission (IEC) standards.
In 1984, ISA submitted the first proposal for a new standard to ensure the safety of industrial processes using instrumentation. Thus, the fundamentals of functional safety were born. This Standard for Safety Instrumented Systems (SIS), named ANSI/ISA 84, was not published until 1996, which demonstrates the amount of work and negotiations that went into the standard’s creation.
In 1998, a similar safety standard mirroring ISA 84 was published in Europe as IEC 61511. Knowing that functional safety was a global problem, both institutions began a process of harmonizing the standards. The only exception was that the U.S. allowed older facilities to use a “grandfather” clause in ISA 84, prior to 1996. Europe did not allow this clause, and thus all facilities had to upgrade safety systems to comply with IEC 61511.
This laid the foundation for the later development of future standards created by both ISA and IEC, including the standards for industrial automation and control systems cybersecurity. In 2010, this new Industrial Automation and Control Systems (IACS) cybersecurity standard, ISA 99, was renumbered as the ANSI/ISA 62443 series. Likewise, in Europe, the IEC worked in parallel to publish IEC 62443, now recognized with ISA as horizontal standards—meaning ISA/IEC 62443 are the same.
OSHA stated in 2000 that all safety instrumented systems must follow Recognized and Generally Accepted Good Engineering Practice (RAGAGEP). ISA 84 was considered by OSHA as RAGAGEP, and thus all Process Safety Management (PSM) plans must include functional safety. ISA 84 (now 61511) states that cybersecurity risk must be accounted for. This indirectly means that OSHA requires OT cybersecurity risk assessments, specifically for safety systems.
Timeline of Major Standards and Publications
With the groundwork laid to create the original ISA 84 and IEC 61511 functional safety standards, cybersecurity was a known risk. The safety standard was thus used as a reference to create the later 62443 series of standards, employing similar vocabulary and methodologies for calculating risk.
The NIST SP 800-82 Guide to Industrial Control System (ICS) Security is not referenced in the NIST Framework, which is specific to control systems and safety systems, but ISA/IEC 62443-2-1 and 62443-3-3 are referenced.
There is little in the safety standards to recognize the risks involved around cybersecurity. The only references in IEC 61511 are the following two quoted clauses.
There was heavy pressure from the industry for ISA to provide guidance regarding Operational Technology (OT) cybersecurity as soon as possible. In 2013 , ISA published the first edition of the technical report, ISA-TR-84.00.09, to help the industry understand ISA/IEC-62443-2-1 and ISA/IEC-62443-3-3.
ISA/IEC-62443-3-2 requires that a detailed cyber risk assessment, which follows the traditional Process Hazard Analysis (PHA) methodology, as described in ISA/IEC-61511, be conducted for Safety Instrumented Systems (SIS).
The intent of the versions of ISA-TR-84.00.09 is to secure safety systems. The 2023 version includes more detailed information to explain how to use ISA/IEC-62443 standards together with the functional safety from ISA/IEC-61511 standards. The 2023 version was a large undertaking – basically a complete re-write of the other versions.
The ISA-TR-84.00.09 technical report provides guidance on how to implement cybersecurity within the IEC-61511 and ISA-84.00.01-2004 lifecycle. As stated in the abstract, the report “provide[s] guidance on integrating the cybersecurity lifecycle with the safety lifecycle as they relate to Safety Controls, Alarms, and Interlocks (SCAI), inclusive of Safety Instrumented Systems (SIS).”
The 2023 version of ISA-TR-84.00.09 is 129 pages long, while the 2017 version was only 54 pages. This is a good indicator of how granular the new version has become.
As ISA-TR-84.00.09-2023 is finalized throughout this year, one thing is for certain: OT cybersecurity is going to be a critical component going forward, and organizations need to shore up defenses to keep ahead of potential cyberattacks. The industry is currently split between those actively maturing and those just starting to build OT security programs. This split usually falls along vertical norms. Specifically, utilities and petrochemical firms have matured but must be more formalized to be compliant. Less mature verticals like the food and beverage, manufacturing and logistics industries have largely not focused on fundamentals and will have a large lift to secure these systems. These firms have relied on the air gap (keeping facilities offline) to protect SIS systems and will have to migrate quickly.
Optimistically, there will be an advancement in funding as cyber and safety are connected. Historically, enchaining cybersecurity was an isolated and non-essential budget item. Connecting cybersecurity to safety will tap into a separate - and larger - funding source.
Optiv is here to help. Contact us to help you identify how ISA-TR-84.00.09-2023 applies to your organization and how to prepare for a final report later this year. https://www.optiv.com/OT
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.