Industrial security is particularly difficult to implement, because there's a divide between securing processes, machines, etc., and securing IT assets. Now there's a standard that combines the two and defines key requirements for security.
There's a new ISA99 cyber-security standard that now defines the key requirements for secure industrial control systems. The newest standard in the ISA99 series is the ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels.
The goal of the standard is to create a flexible framework to address and mitigate current and future industrial automation and control-system vulnerabilities. The effort goes further than before to combine the typical focus on such assets as control systems, production, operations, and time-critical system response, with IT’s information-protection role -- two efforts that often conflict in both definition and implementation of security.
The ISA99 standards committee addresses this divide by combining functional requirements, risk assessment, and operational awareness. Given that the standard is applicable to multiple industry segments, it has a broad and far reach. Not only does it cover typical and obvious industrial and manufacturing systems and plants, it also includes hardware and software systems, networked electronic sensing, monitoring systems, and diagnostic systems, as well as human, machine, and network interfaces used for control and safety.
The standard was approved on August 13, 2013, and requires readers to select 62443 from the drop-down menu to access. The International Electrotechnical Commission (IEC) will publish an identical version later in 2013.