The U.S. Department of Energy (DOE), global equipment suppliers, and other stakeholders announced the establishment of the Electric Energy OT Security Profile working group hosted by the International Society of Automation ISA99 standards committee.

The Electric Energy OT Security Profile will be a cybersecurity work product utilizing the ISA/IEC 62443 series of standards. The final product will be a formal ISA/IEC 62443 application guide, recognized globally as the consensus work product for securing various control systems used in electric energy generation, transmission, and distribution operations.

The ISA/IEC 62443 standards are designated as a horizontal standard, applicable to many industry sectors and applications. Industry groups leverage the ISA/IEC 62443 standard series as the basis for securing industrial control systems (ICS). DOE’s Securing Energy Infrastructure Executive Task Force (SEI ETF) evaluated available industry standards and recommended the electric energy OT applications be formalized as ISA/IEC 62443-5 security profile applications—gaining international energy sector consensus on applying ISA/IEC 62443 to electric energy OT applications.

The ISA Electric Energy OT Security Profile working group is seeking participation from industry groups, including the Institute of Electrical and Electronics Engineers (IEEE), the International Electrotechnical Commission (IEC), the International Council on Large Electric Systems (CIGRE), and other industry stakeholders to ensure consideration of and alignment with other cybersecurity work product development efforts.

The initiative will leverage the DOE SEI ETF’s Reference Architecture and Profiles for Electric Energy OT as a foundation for the ISA/IEC 62443-5 application profile development. The SEI Reference Architecture and Profiles and associated whitepaper will be available on the DOE website in the upcoming weeks.

“The Securing Energy Infrastructure Executive Task Force developed an OT-specific reference architecture for electricity systems to provide a common language for control system environments that can be used to design and assess security applications,” Puesh Kumar, Director, DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER). “The ISA Working Group represents an opportunity to validate these profiles and put them into practice for the energy industry. CESER is excited to see energy sector stakeholders carrying forward the task force’s reference architecture work.”

The Electric Energy OT Security Profile will be publicly available at no charge for asset owners, manufacturers, standards organizations, and other industry stakeholders. The application profiles will be used as a basis for designing, implementing, testing, and maintaining electric energy OT systems and their cybersecurity capabilities. They will also be useful by third-party assessment organizations and regulatory authorities around the globe.

Eric Cosman, Co-Chair of the ISA99 Standards Committee, noted that, “Global standards and supporting specifications provide efficiencies for end users, product suppliers, and system integrators that design, deliver, and support products and systems all around the world. One specification and one globally recognized certification provides needed transparency and reduces the regulatory burden on manufacturers.”

As the first company to receive TÜV SÜD certification based on IEC 62443-4-1 for the interdisciplinary process of developing Siemens automation and drive products, including industrial software, Siemens received the certification at seven development sites in Germany. Among other things, these sites are developing Simatic S7 industrial controllers, Simatic industrial PCs, Simatic HMI (Human Machine Systems Interface) devices for operator control and monitoring, and Sinamics drives as well as the TIA (Totally Integrated Automation) Portal engineering software. The international series of standards IEC 62443 defines the security measures for industrial automation systems, with Part 4-1 of the standard describing the requirements of the manufacturer's development process.
The TÜV SÜD certificate is based on the standard IEC 62443-4-1 (Secure Product Development Lifecycle Requirements, Draft 3 Edition 10, 01.2016). This standard includes security-relevant requirements such as capabilities and expertise, security of third-party components, process and quality assurance, secure architecture and design, and issue handling as well as security updates, patches and change management.

As a leading automation and software supplier for industry, Siemens is continuously improving its products and solutions with regard to industrial security. This also includes the certification based on IEC 62443-4-1. With this achievement, the company is documenting its "Security by Design" approach for automation products and is giving integrators and operators a transparent insight into the IT security measures. Integrators and operators use this for the conception and operation of automation processes and systems using Siemens technology and the "Defense in Depth" protection concept.

To ensure comprehensive protection of industrial plants from internal and external cyber attacks, all levels must be protected simultaneously – ranging from the plant management level to the field level and from access control to copy protection. This is why our approach to comprehensive protection offers defense throughout all levels – "defense in depth". This concept is according to the recommendations of ISA99 / IEC 62443 – the leading standard for security in industrial applications.

The global leader in functional safety, cybersecurity, and alarm management for the process industries, exida, has introduced their Alarm Management Practitioner (AMP) Program, a new certificate program that complements the company’s existing functional safety and ICS cybersecurity certificate programs.

The AMP Program is designed to teach end users, integrators, suppliers, and regulators how to realistically apply the most important concepts from the ISA-18.2 and IEC 62682 alarm management standards. The program was developed by exida experts who were instrumental in writing the ISA-18.2 standard and associated technical reports. It leverages exida’s experience from hundreds of alarm management projects to deliver the most important principles and the keys for success.

The AMP program will be offered in conjunction with the exida Academy Training course ALM 101: Introduction to Alarm Management Practices & Principles, which is offered generically or for specific control systems.

“exida’s AMP Program was developed to share what the ISA-18.2 and IEC 62682 really mean and how to apply them pragmatically,” said Todd Stauffer, exida Director of Alarm Management and voting member ISA-18.2. “Taking the course and completing the certificate demonstrates that the practitioner is prepared to support key alarm management activities, such as alarm philosophy development, alarm rationalization, and alarm issue remediation.”

A list of AMP certificate holders will be maintained on the exida website.

Many manufacturers rely on system integrators to design and install compliant machinery safety solutions, but they often struggle to find the most capable provider. To help ease that process, Rockwell Automation continues to expand its global Machinery Safety System Integrator program. Three new members have joined in the first half of 2016, bringing the total number to 26.

“We created this program in 2014 to connect manufacturers with safety system integrators they can trust,” said Mark Eitzman, manager of safety market development, Rockwell Automation. “It’s become a valuable resource for manufacturers because we do the vetting for them. We make sure the integrators thoroughly understand current safety standards and know how to apply safety technologies in a way that also improves plant productivity.”

To be eligible, candidates must be current Rockwell Automation Solution Partners or Recognized System Integrators with three to five years of machine safety experience. They must complete an intensive education and assessment process, but Rockwell Automation also recognizes third-party certification from industry-accepted organizations, such as TÜV or exida.

After meeting these initial requirements, each candidate’s safety engineers complete training modules on topics such as global safety standards, safety risk assessment practices, and safeguarding mitigation and validation. Finally, each candidate must submit a machinery safety project that is consistent with global standards.

The three new members of the program include:

• Automation Electronics Group and Systems (AEG Systems), a Rockwell Automation Recognized System Integrator based in Mexico, specializes in customized process, motion and MES applications for clients around the world.
• RT Engineering, a Rockwell Automation Recognized System Integrator located in Franklin, Massachusetts, provides custom controls and automation solutions for customers in the medical, pharmaceutical and metals industries.
• SINCI, a Rockwell Automation Solution Partner located in Guadalajara, Mexico, specializes in control, process and information applications for customers in food and beverage, metals, mining and utilities.