ISA Setting the Standard for Automation ™ Automation Standards Compliance Institute ISA Security Compliance Institute (ISCI) Prepared by: Andre Ristaino, ASCI Managing Director

2 Automation Standards Compliance Institute ASCI Facts  ISA-facilitated non-profit organizational entity that assesses automation-related standards compliance  Provides a vital link between ISA’s unbiased standards and the implementation of those standards  Also facilitates assessing conformity of other organization standards  Governed by a Board of Directors of senior ISA industry leaders  Managed by full-time professional staff  Managing Director-Andre Ristaino

3 Automation Standards Compliance Institute ASCI Philosophy and Approach  ASCI was founded with a market centric philosophy for establishing and managing certification programs.  ASCI is empowered to sponsor “Interest Groups” for governing ASCI certification programs

4 Automation Standards Compliance Institute ASCI Benefits  Sponsored by ISA, a stable long-term entity that transcends individuals, products and, companies and provides the corporate memory for the compliance program  Corporate non-profit entity in place for ASCI; including bylaws, governance, funding, full-time management  No vendor/user bias, superior mobility for navigating issues  Access to technical subject matter experts, partners, consultants via membership rolls  Historical knowledge of standards and standards process  Full time staff dedicated to operationalizing compliance initiatives  Access to ISA ‘risk’ dollars during Interest Group startups ensures that funding issues don’t become an inhibitor  Web-based infrastructure for supporting collaboration

5 Automation Standards Compliance Institute ISA Security Compliance Institute ISCI is sponsored as an ASCI Interest Group to lead Control Systems Security Certification initiatives

6 Automation Standards Compliance Institute ISCI Program Overview Mission Statement “The organization’s mission is to decrease the time, cost, and risk of developing, acquiring, and deploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders to:  Facilitate the independent testing and certification of control system products to a defined set of control system security standards;  Use existing control system security industry standards, where available, develop or facilitate development of interim standards where they don’t already exist, and adopt new standards when they become available;  Accelerate the development of industry standards that can be used to certify that control systems products meet a common set of security requirements. The standards, tests, and conformance processes for control systems products will allow the products to be securely integrated. An ultimate goal is to push the conformance testing into the product development life cycle so that the products are intrinsically secure.”

7 Automation Standards Compliance Institute ISASecure Designation  Trademarked designation that provides instant recognition of product security characteristics and capabilities.  Industry stamp of approval.

8 Automation Standards Compliance Institute ISCI Benefits to Asset Owners For asset owners, a well designed and managed product security certification process results in reduced costs and time commitment in product selection and deployment. Key benefits include:  Certification saves time and costs for validation and verification of security capabilities.  Certification provides assurances that products are more secure ‘out of the box’, leading to improved process reliability and safety.  The security certification stamp provides instant recognition of product characteristics and capabilities.  Asset owners are able to specify and successfully procure compliant products that interoperate.  Certification can mitigate government security compliance regulation with full industry participation.  Organizations are positioned favorably for insurance requirements that may be emerging for security compliance levels.  The same kind of assurance “stamp” that exists for safety will exist.  The program leverages industry capabilities for reduced overall cost of delivery.

9 Automation Standards Compliance Institute ISCI Benefits to Suppliers and Integrators For suppliers and integrators, the certification process provides a single compliance framework and an industry stamp of approval, resulting in faster time to market and lower development and integration costs. Key benefits include:  Suppliers are able to make and substantiate clear claims of compliance to a consensus open, industry standard.  Certification responds to a common need for a shared security vision to be executed by suppliers, asset owners, and consultants. This helps suppliers build what users want.  The program provides security requirements guidance from industry to suppliers based on testing standards.  The program addresses the security characteristics of the product that allow it to be integrated into a larger system.

10 Automation Standards Compliance Institute ISCI Benefits to Standards Bodies & Government Agencies For the standards bodies and government agencies developing industrial security specifications, the result will be better, field-tested standards that are clearly being followed by industry.

11 Automation Standards Compliance Institute Technical Scope of ISCI Strategically, the technical scope of the program extends from the device level to the gateways (Level 0 to Level 3 plus the gateway interface between Level 3 and Level 4) as reflected by this ISA99 reference model.  ISA Security Compliance Institute compliance requirements development and testing will be deployed in phases starting with the following devices in priority sequence:  Wired IP network devices  Wireless IP network devices  Windows-based devices  Commencing with the second year of operations, the ISA Security Compliance Institute compliance profiles will be expanded based on tactical (near term) and strategic (long term) compliance topics established by the ISCI Governing Board and Technical Steering Committee.

12 Automation Standards Compliance Institute ISA99 Reference Model

13 Automation Standards Compliance Institute Compliance Testing Process ISA 99 Standards Other Relevant Standards Develop Profiles and test specifications Feedback gaps, clarifications Standards Organizations Pass Test Add to Certified Catalog Fail Test Feed back to Supplier

14 Automation Standards Compliance Institute ISCI Rollout Phases and Estimated Timeframes Phase Timing Q1Q2Q3Q4Q1Q2Q3Q4Q1Q2Q3 1 Formation 2 Definition of Technical Direction, Scope, and Approach of Certification Program 3 Identification and Development of Standards and Profiles 4 Definition of Certification Program 5 Implementation of Certification Program 6 Operation of the Certification Program - Begins at Launch in Q Ongoing Operation of ISCI 8 Evolution of ISCI – Starts Q ISASecure in Procurement Requirements – Starts Q2 2010

15 Automation Standards Compliance Institute ISCI Status and Next Steps  Status  May 2007 Initial Leaders elected to move forward  June 2007 ISCI Membership prospectus and web presence completed  Next Steps  June-July 31, 2007  Open ISCI formal membership enrollment to new members via prospectus and offering on ISCI web site  September-December 2007  September 1, 2007-close date for Founding Strategic Membership  Establish Governing Board  Establish Technical Steering Committee  Establish working groups and start certification requirements definition

ISA Setting the Standard for Automation ™ Automation Standards Compliance Institute Contact Information Andre Ristaino - Managing Director, ASCI Phone Cell