What if we automated ISA’s Automation Standards?

ISA’s automation standards reflect the collective expertise of countless risk management and safety professionals.  When implemented fully, they vastly improve an organization’s ability to prevent, mitigate, and build resilience against a constant onslaught of damaging cyber and physical hazards. Imperfect compliance processes, budget and time restrictions, and a lack of security skill and technical know-how have made leveraging that expertise a daunting task for many organizations.  They consequently struggle to maintain even the most basic security functions and face potentially catastrophic losses as a result.

What’s needed is a method to accelerate compliance with ISA’s automation standards, one that ensures that achieved compliance actually enhances an entity’s security posture.  Imagine if organizations could obtain automated, continuous, and real-time awareness about whether their chosen control solutions are working and making them safer.  How much more secure would the world be if critical infrastructure operators could immediately receive alerts when those solutions fall short and quickly access a library of proven, peer-recommended alternatives that fill identified security gaps?  Think of the improved security outcomes that could be had if organizations could stage, simulate, and test the effectiveness of potential control solution deployments in a virtual environment – all before they commit a single resource dollar.  The static check-box surveys so common to traditional compliance approaches simply fail to provide such insight.

Ark Network Security Solutions (Ark) recently approached ISA Management about its efforts to meet this need and is actively seeking OT professional input on its way forward.  As planned, Ark’s “true continuous compliance system” will virtually represent devices, intellectual property, personnel, and anything else an organization values as assets, while simultaneously creating corresponding “control groups” for their protection. Those groups will consist of three elements:

• Guidelines that will encompass national, international, and customized security standards – including, potentially, any or all of ISA’s automation standards;
• Implementations that will include both technical and manual (i.e., based on human processes) risk controls that organizations can apply to conform with those standards; and
• Assessors that will verify whether chosen controls are in place, working, and delivering real security value.

The system will “express” both an organization’s assets and these elements electronically.  This novel format will allow users to rapidly link all of them in more impactful ways and to determine, at machine speed, a corresponding compliance and security performance score that an OT professional can track over time. 
Ark’s goal is to make compliance a cornerstone of more effective security – enabling companies to free up existing resources so they can zero in on priority risk areas.  In short, the plan is to shift the focus to maximizing security, with more meaningful compliance the natural consequence. 

Much of the system’s development has focused on the creation of a unique information sharing platform.  Ark is designing the platform so organizations of all kinds can:

• Submit both technical and manual risk controls for community consideration;
• Provide feedback on which solutions work best for compliance and security purposes; and
• Highlight an opportunity for a market response where no controls adequately meet those purposes.
In short, Ark wants to create a mechanism that provides an up-to-date take on which vendor fixes offer the most security bang for the buck. The intent is to ensure that community experience – not just vendor representations – provide the insight that OT professionals need to select what’s best for their enterprises. 

In its conversations with ISA Management, Ark has described the system’s interface as one that will literally “show” organizations their value at risk when particular assets are unprotected, flag problem areas automatically, and illuminate progress when those areas receive required attention. The planned visual display is being designed to convey all this information in a clear, comprehensible format to stakeholders at every level of an organization.  In that way, both technical and non-technical professionals can better appreciate and make common cause against priority risks.  By providing an actual risk picture, moreover, Ark intends to help organizations tell their risk management stories more understandably to business partners, clients, insurers and other key external audiences – all of whom are increasingly seeking proof that their commercial contacts are safe security bets.
As part of its development process, Ark has contacted ISA Management in an effort to obtain OT professional perspectives about how to optimize the process the system will utilize in advance of its release later this year.  Specifically, Ark would like to know:

• Which industry sectors hosting OT assets stand to benefit most from the system and why?
• Which of ISA’s automation standards should be included first within the system in order to help those sectors?
• What capabilities and features of the system appeal most from an OT perspective?  What capabilities and features should be added?
• Which cyber and physical security controls (e.g., encryption technology, firewalls, awareness training, safety alerts) should be included as part of the system’s initial platform so they can be more widely used and reviewed by OT professionals?
• What data about compliance with ISA’s automation standards would be of most interest to the OT professional community?

If you’d like to provide feedback, or would like to learn more about Ark’s solution, please contact Tom Finan at tom.finan@arknss.com.
About the Author

Tom Finan is the Chief Strategy Officer at Ark Network Security Solutions in Dulles, Virginia.  Ark’s mission is to bridge the gap between security compliance and risk management.  Its forthcoming service will enable organizations to leverage the goodness inherent in security best practices, guidelines, and standards by accelerating and automating the implementation of highly effective, community-endorsed risk controls.  In so doing, Ark’s service will help users move beyond compliance “approval” to ongoing risk management excellence and true organizational resilience.