ISA 99—emerging standards for automation security

A new report looks into plant and process cyber security and explains new security standard.

The Instrument Society of America (ISA) is in the process of drafting its ISA99 series of standards for cyber security of industrial automation and control systems. Part 1, terminology, concepts and models was published late last year and will shortly be joined by Part 2 , control system security.


ISA kindly provided Oil IT Journal with a copy of a new report on the ISA99 standard. The 100 page report ($115 from describes cyber security technologies, their pros and cons, expected threats and known cyber vulnerabilities. The report provides preliminary recommendations and guidance for cyber security deployment and countermeasures.


Industrial automation and control systems (IACS) include control systems used in refineries and geographically dispersed operations such as utilities, pipelines and petroleum production and distribution facilities. In the IACS context, security means the prevention of unwanted penetration, interference with operations, and access to confidential information. The standard covers computers, networks, operating systems and applications.


The report tracks the evolution of IACS from individual, isolated computers with proprietary operating systems and networks to interconnected systems and applications employing commercial off the shelf (COTS) operating systems and protocols. These are now being integrated with enterprise systems and other business applications. While increased integration has brought significant benefits in terms of information visibility, the COTS approach is increasing system vulnerability to the same software attacks as are present in business and desktop devices.

Outsource partners

Also, joint ventures, alliance partners, and outsourced services have led to a more complex situation with respect to the number of organizations and groups contributing to security of the industrial automation and control system. Conventional business information security focuses on the objectives of confidentiality, integrity and availability (CIA). But for IACS priorities differ. Here security is primarily concerned with maintaining the availability of all system components and keeping the plant running—with emphasis on real time control. The CIA model is inadequate for a full understanding of the requirements for security in industrial automation and control systems. Here the ISA report advocates ‘defense in depth,’ with multiple countermeasures so that, for example, intrusion detection is deployed to signal the penetration of a firewall**.


The report discusses securing data historians, operating platforms, Distributed Control Systems, Programmable Logic Controllers, SCADA systems and conventional control system IT. ISA99 has backing from a veritable who’s who of oil and service companies—to name a few: ExxonMobil, BP, Chevron, Shell and Aramco, along with pretty well all of the process engineering supplier community. More from

* ANSI/ISA-TR99.00.01-2007 Security Technologies for Industrial Automation and Control Systems.

** For more on defense in depth and ‘deperimeterization’ we recommend The Data Room’s technology Watch report from the 2005 SPE Digital Security in Oil and Gas event—now a free download from

Click here to comment on this article

Click here to view this article in context on a desktop

© Oil IT Journal - all rights reserved.