ISA-TR84 and How it Relates to OT Security

March 10, 2023

Changes lie ahead for the regulatory side of operational technology (OT) in the form of ISA-TR84.00.09-2023 (Edition 3). Are you prepared?

 

Regulations are nothing new for utility or oil and gas companies, but for organizations in other industries these regulations could mean they need to prepare for important cybersecurity changes. Recently, the ISA-TR84.00.09-2023 draft report was made available for review and comments, and it makes notable changes to the functional safety lifecycle via cybersecurity additions.

 

The draft ISA-TR84.00.09-2023 report can be found here.

 

 

History of Functional Safety

To understand the history of industrial cybersecurity, we need to revisit the history of industrial safety standards.

 

ISA stood for the Instrument Society of America when it was first founded in 1945, and it was later changed to the International Society of Automation in 2008. This change was a move to gain recognition in Europe because of the adoption of the competing International Electrotechnical Commission (IEC) standards.

 

In 1984, ISA submitted the first proposal for a new standard to ensure the safety of industrial processes using instrumentation. Thus, the fundamentals of functional safety were born. This Standard for Safety Instrumented Systems (SIS), named ANSI/ISA 84, was not published until 1996, which demonstrates the amount of work and negotiations that went into the standard’s creation.

 

In 1998, a similar safety standard mirroring ISA 84 was published in Europe as IEC 61511. Knowing that functional safety was a global problem, both institutions began a process of harmonizing the standards. The only exception was that the U.S. allowed older facilities to use a “grandfather” clause in ISA 84, prior to 1996. Europe did not allow this clause, and thus all facilities had to upgrade safety systems to comply with IEC 61511.

 

This laid the foundation for the later development of future standards created by both ISA and IEC, including the standards for industrial automation and control systems cybersecurity. In 2010, this new Industrial Automation and Control Systems (IACS) cybersecurity standard, ISA 99, was renumbered as the ANSI/ISA 62443 series. Likewise, in Europe, the IEC worked in parallel to publish IEC 62443, now recognized with ISA as horizontal standards—meaning ISA/IEC 62443 are the same.

 

OSHA stated in 2000 that all safety instrumented systems must follow Recognized and Generally Accepted Good Engineering Practice (RAGAGEP). ISA 84 was considered by OSHA as RAGAGEP, and thus all Process Safety Management (PSM) plans must include functional safety. ISA 84 (now 61511) states that cybersecurity risk must be accounted for. This indirectly means that OSHA requires OT cybersecurity risk assessments, specifically for safety systems.

 

https://www.osha.gov/laws-regs/standardinterpretations/2000-03-23

 

Timeline of Major Standards and Publications

 

  • 1986 – ANSI/ISA 84, Application of Safety Instrumented Systems (SIS) for the Process Industries
  • 1998 – IEC 61511, Functional safety - Safety instrumented systems (SIS) for the process industry sector
  • 2000 – OSHA requirement to follow ANSI/ISA 84
  • 2003 – IEC 61511, Functional safety – ISA and IEC synchronized
  • 2004 – ANSI/ISA 84, Application of Safety Instrumented Systems, Part 1
  • 2009 – ISA 62443-2-1, Established an Industrial Automation and Control Systems Security Program
  • 2013 – ISA/IEC 62443-3-3, System security requirements and security levels
  • 2013 – ISA TR84.00.09-2013, Countermeasures Related to Safety Instrumented Systems (SIS)
  • 2016 – Major update to ISA/IEC 61511 that included safety systems’ cybersecurity risk
  • 2017 – ISA-TR-84.00.09, Cybersecurity Related to the Functional Safety Lifecycle, 2nd Edition
  • 2023 – Major update of ISA-TR-84.00.09, Cybersecurity Related to the Functional Safety Lifecycle

 

 

Safety and Security

With the groundwork laid to create the original ISA 84 and IEC 61511 functional safety standards, cybersecurity was a known risk. The safety standard was thus used as a reference to create the later 62443 series of standards, employing similar vocabulary and methodologies for calculating risk.

 

The NIST SP 800-82 Guide to Industrial Control System (ICS) Security is not referenced in the NIST Framework, which is specific to control systems and safety systems, but ISA/IEC 62443-2-1 and 62443-3-3 are referenced.

 

There is little in the safety standards to recognize the risks involved around cybersecurity. The only references in IEC 61511 are the following two quoted clauses.

 

  • Clause 8.2.4 – A security risk assessment shall be carried out to identify the security vulnerabilities of the SIS. It shall result in:

    1. A description of the devices covered by this risk assessment (e.g., SIS, BPCS or any other device connected to the SIS)
    2. A description of identified threats that could exploit vulnerabilities and result in security events (including intentional attacks on the hardware, application programs and related software, as well as unintended events resulting from human error)
    3. A description of the potential consequences resulting from the security events and the likelihood of these events occurring
    4. Consideration of various phases such as design, implementation, commissioning, operation, and maintenance
    5. The determination of requirements for additional risk reduction
    6. A description of, or references to information on, the measures taken to reduce or remove the threats.

  • Clause 11.2.12 – The design of the SIS shall be such that it provides the necessary resilience against the identified security risks (see clause 8.2.4).

 

There was heavy pressure from the industry for ISA to provide guidance regarding Operational Technology (OT) cybersecurity as soon as possible. In 2013 , ISA published the first edition of the technical report, ISA-TR-84.00.09, to help the industry understand ISA/IEC-62443-2-1 and ISA/IEC-62443-3-3.

 

ISA/IEC-62443-3-2 requires that a detailed cyber risk assessment, which follows the traditional Process Hazard Analysis (PHA) methodology, as described in ISA/IEC-61511, be conducted for Safety Instrumented Systems (SIS).

 

 

2023 Updates to ISA-TR-84.00.09

The intent of the versions of ISA-TR-84.00.09 is to secure safety systems. The 2023 version includes more detailed information to explain how to use ISA/IEC-62443 standards together with the functional safety from ISA/IEC-61511 standards. The 2023 version was a large undertaking – basically a complete re-write of the other versions.

 

The ISA-TR-84.00.09 technical report provides guidance on how to implement cybersecurity within the IEC-61511 and ISA-84.00.01-2004 lifecycle. As stated in the abstract, the report “provide[s] guidance on integrating the cybersecurity lifecycle with the safety lifecycle as they relate to Safety Controls, Alarms, and Interlocks (SCAI), inclusive of Safety Instrumented Systems (SIS).”

 

The 2023 version of ISA-TR-84.00.09 is 129 pages long, while the 2017 version was only 54 pages. This is a good indicator of how granular the new version has become.

 

Major Additions

 

  • Network topology, reference model (Purdue)
  • Generic RASCI chart
  • Access management
  • Security Protection Ratings (SPR), similar to maturity level
  • Business continuity
  • Project scope development
  • Greater detail on how to perform a cyber risk assessment
  • Vulnerability identification
  • Roles / Training / Competence
  • Zero Trust architecture concept
  • Secure configuration practices
  • Defining cybersecurity alarm and alert responsibilities (SOC)
  • Incident management

 

 

What Does this Mean for Security Teams?

As ISA-TR-84.00.09-2023 is finalized throughout this year, one thing is for certain: OT cybersecurity is going to be a critical component going forward, and organizations need to shore up defenses to keep ahead of potential cyberattacks. The industry is currently split between those actively maturing and those just starting to build OT security programs. This split usually falls along vertical norms. Specifically, utilities and petrochemical firms have matured but must be more formalized to be compliant. Less mature verticals like the food and beverage, manufacturing and logistics industries have largely not focused on fundamentals and will have a large lift to secure these systems. These firms have relied on the air gap (keeping facilities offline) to protect SIS systems and will have to migrate quickly.

 

Optimistically, there will be an advancement in funding as cyber and safety are connected. Historically, enchaining cybersecurity was an isolated and non-essential budget item. Connecting cybersecurity to safety will tap into a separate - and larger - funding source.

 

Optiv is here to help. Contact us to help you identify how ISA-TR-84.00.09-2023 applies to your organization and how to prepare for a final report later this year. https://www.optiv.com/OT

John Powell
Principal Consultant, Optiv IoT & ICS Security | Optiv
John Powell has over 35 years of industrial automation experience in the industrial chemical, refining, gas fields, pipeline, and water utilities sectors. He has also spent six years in the public sector with the Department of Energy (DoE) at two national labs assigned to U.S. Nuclear Security.

He was responsible for the development and execution of cyber security and functional safety risk-based gap assessments. He is an expert in OT cyber security policy and procedure creation based on the NIST Risk Management Framework (RMF) and IEC 62443.

Prior to Optiv, Powell was a Control Systems Subject Matter Expert (SME) for the DOE and as an OT Cyber and Process Safety SME for the largest construction company in America. His responsibilities included engineering management and execution of large projects up to $10B. He has been a Tiger Team Lead and a Six Sigma Champion.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.