ISA Cybersecurity Standards in Smart Cities: ARC Smart City Podcast

By Larry O'Brien

Industry Trends

The world of smart cities and intelligent buildings has yet to rally around a single cybersecurity standard, especially at the operational level.  Meanwhile, cyber-risk remains a real threat to the world of smart cities and buildings, with more and more products and systems becoming IoT-enabled every day.  ARC believes that the ISA/IEC 62443 standard, which is also an international IEC (International Electrotechnical Commission) and US ANSI standard for cybersecurity in industrial environments, should be adopted by the smart cities and buildings sector.  ISA Cybersecurity Standards are a ready-made fit for the smart cities and buildings sectors.  Unfortunately, the language of standards can be complex and many end-users and owner/operators may feel stymied by how to implement or follow standards. 

ISA Cybersecurity Standards

In this latest installment of the ARC Smart Cities Podcast, we speak with Andre Ristaino of ISA about how the organization is addressing the issue of cybersecurity in smart buildings and cities, from certifying products and applications to the formation of the ISA Global Cybersecurity Alliance (ISAGCA), which is a new end user-focused organization designed to demystify the comprehensive 62443 standard and its implementation in real-world operational environments.  Several of the founding members of ISAGCA are from the building automation sector.  Andre provides a comprehensive view of what ISA is doing for cybersecurity in the smart cities and buildings sectors and points out some great resources.  


Larry O'Brien:    Hi everybody, and welcome to the latest installment of the ARC smart cities podcast. I'm Larry O'Brien vice president of research at the ARC advisory group. And with me today are Jim Frazer. Good morning, Jim. Go ahead and introduce yourself briefly and then we'll introduce our guests today.

Jim Frazer:    Sure. I'm Jim Frazer. I'm the vice president of the smart cities practice here at ARC. And, we're very happy to have, Andre Ristaino with us today

Larry O'Brien    Today we have with us, Mr. Andre Ristaino a managing director, at ISA, the International Society for Automation and good morning, Andre.

Andre Ristaino:    Good morning. Thank you.


What is ISA?

Larry O'Brien    Andre, we have some people on the line that are in smart cities, obviously, right? So there probably may not be familiar with ISA. So can you tell us a little bit about you and a little bit about the ISA.

Andre Ristaino:  ISA is an international society of automation. It's a professional engineering society and it has around 40,000 members. And, it's lot in life is to support, continuing education and sharpening the saw for its professional engineers. We do conferences, publications. We have a refereed, journal in technology. It comes out six times a year. Now. Many, many more publications that come out more frequently. And, ISA is also an ANSI accredited standards development organization. It's been around since 1945 and it's published more than 150 standards. Many of those standards are North American ANSI standards and typically they're submitted to the international electro technical commission IEC for internationalization. And so standards such as safety, wireless, and many, many, many standards related to, business processes for, particularly process industries.


Does the ISA have Cybersecurity Standards?

Andre Ristaino:    And most recent standard is ISA IEC 624443, which is a series of 15 standards addressing cybersecurity for, operational technology and where operational technology interfaces with what we recognize as traditional IT. So my specific role is, I was hired in 2007 to stand up a conformity assessment to do assessments and issue certificates of conformance for company operations or products to standards, maybe, development processes. and so, that's what I'm doing. I have two of those stood up now. Recently we stood up an organization called the Global Cybersecurity Alliance and this was in response to that big challenge that we have on a global basis, in securing automation that affects their everyday lives. So that's kind of the nickel tour about ISA and myself.

Larry O'Brien    Yeah. And like I said, I think a lot of people might not be aware of ISA particularly if you're in the smart cities segment. I know a lot of people in building automation might be aware of it.


Details of the ISA 62443 Cybersecurity Standard

Larry O'Brien:   But ISA 62443 really is a far-reaching standard. And, like you said, it covers a lot of things from secure development processes from your vendors to things like product certifications through ISA Secure and so forth. Can you give us a brief outline of what ISA 62443 is comprised of, because you said it's multiple standards - and I know a part of the reason that GCA was formed, this Global Cybersecurity Alliance is that standards can be complex and I think the quote was standards aren't really written for the people that actually use them. Right. so maybe we could just get a sort of plain English description of the domains the ISA 62443 covers and how that feeds into this Global Cybersecurity Alliance and trying to educate people about the importance of standards and, and what standards really mean to them.

Andre Ristaino:    Sure, sure. I'd be happy to. So, I guess the starting off position is that the value in the standards is that they codify hundreds, if not thousands of years of subject matter expertise in a particular area. It's like going to college. You have textbooks and they have all this factual information, so you don't have to go out and in your life and bang your head against the wall and flatten it to gain the experience and get good at some particular area. So the standards, tell you what are the right things to do, what are the right policies to address, that kind of thing. And then, the next step is for folks implementing the standards to take the "what's" and turn it into the "how's" and the "when's" and that sort of thing. So the ISA 62443 standards were initiated in 2005.


ISA 62443 Addresses the Entire Project Lifecycle

Andre Ristaino:    Organized in 15 documents. It's about 900 pages and they're organized into four broad areas. The first area establishes the context, the models, lexicons and the structure, the words, so that if you're sitting down and talking, cybersecurity, the same words mean the same thing to each of the people sitting around the table. I find that one of the most difficult challenges when I'm having discussions about cybersecurity is that, nobody starts a conversation by saying, where they are in the life cycle of a system. And so that's one of the important things that these standards do. I haven't seen it with any others where it views, the automation and control systems from a lifecycle perspective. And there's three broad areas. In the front end, there's the product suppliers who, construct, components and, subsystems that are off the shelf, pieces that are then cobbled together into a site solution, typically by integrators or maybe by a major supplier, but they're turning it into a site solution.

Andre Ristaino:   And then those, site solutions are deployed jointly with, the asset owner or facility owners and, handed off for operations, maintenance, throughout its useful life, and then on to retirement. So when you talk about cybersecurity, you gotta know where you are. If we're talking about putting security capabilities in the, off the shelf products, then that audience and stakeholder group is the product suppliers. If you're talking about, assembling them into a site solution, it's typically the integrators and what their integration practices are and best practices, that sort of thing. And then if you're talking about, operating a secure site or facility, then the stakeholder is a combination of the end-user and the integrator who deployed this, system and then anybody else who's involved in day to day maintenance of this.

Andre Ristaino:  So that's key. So, circling back to the structure of the standards. So there's the model, the lexicons then general terminology and there's another layer of the standards, that address, all the topics that are relevant to a facility owner or asset owner, establishing a security management plan, maintaining your systems, patching, working your working relationship with your service providers who are the integrators and maybe maintenance people and the like. Then the next layer of the standards addresses security capabilities and requirements for a system and a system is typically an integrated application. Then the next layer of the standards address security capabilities for components that go into the systems. So that would be embedded devices, software applications, network devices like routers, et cetera,

Larry O'Brien:    It really is a comprehensive standard. I think that's what's good about it. And it is a life cycle standard that addresses each aspect of the life cycle of a system. And that doesn't matter if it's a building automation system, right, or, even a smart lighting system or what have you. So I think that's what's unique about it. And also that, like you said, there, there's been a lot of work put into this. This is not a new standard this is many, many years of work that had been established by a lot of people who are leaders in their respective industries.

Larry O'Brien    So definitely something worth considering.

Andre Ristaino:   Yeah. so, and, and the standards, they come up for review and improvement, every five years. So there are a couple of those, documents that have been opened up and based on what's been learned in the last 10 years, there are some really excellent improvements to it, but a little bit more about their applicability. So, the International Society of Automation is, has a large population of automation engineers in it. So if you look at the language in the standards, a lot of it seems, reflects the folks who were on the standards committee and you see a lot of process and industry language in there. However, the standards were deliberately written as a technology horizontal. And, so for that reason, they are applicable to many different industry sectors, building automation. You could look, there's there being applied to medical devices.


ISA 62443 Addresses a Broad Variety of Applications

Andre Ristaino:   I've had inquiries, in the automotive sector, the energy sector, telecom, electric generation distribution, et cetera. So there's a lot of different sectors. So you can see that we've got these standards, you don't want them to be shelfware. So, what are the activities needed to take these wonderful documents and get them from the shelf to implementation where people can use them on Monday morning when they come to work. And so, that cries out for, education, other types of derivative work products, training, education tools, techniques, work methods to deploy these standards and also certification programs, conformity assessment our products being constructed and, and, offered to the market that are conforming to the standard.

Andre Ristaino:    The conformance to the standards for products reduces the risk to a lower likelihood that you're going to have a cybersecurity event. and, then you go down, go all the way out to the asset owner, the facility operator. They are standards that, if implemented properly, operations will be more secure and addresses their security programs, maturity level of, their policies and procedures, procurement practices, their maintenance and update practices, et cetera. So, that's, that's, we've done some of that with the security compliance Institute and the ISA Secure program. We're certifying products. We're going to move that program into certifying the integrators and then the facilities themselves. But again, the enabler is the glue is bridging that gap between the published standard and implementation. And so that's what the Global Cybersecurity Alliance's mission is.

Andre Ristaino:    So if you look at various, organizations within ISA, you have like Automation Federation that runs logic. That's that oil and gas and cybersecurity. They mainly do R&D related to control systems. Then that's fed back into different areas. ISA Secure focuses on certification and ISA, the, main, ISA organization publishes standards and manages the standards committees and, does training and education. And so the GCA, its objective is to scale this up, do it on a larger basis. So have multiple companies contributing and address sector-specific issues like, how-to guides and usage guides for securely deploying technology and the building management or smart cities space. And, another, series of documents were developed on medical devices, how to apply the ISA 62443 standards for securing medical devices. And you can just go on down the line.

Larry O'Brien:    Oh yeah. Other issues related to native cybersecurity and medical devices. I said, that's so great. If you read the, the news and so forth, there's always new vulnerabilities being exposed. And the practice of the industry I don't think is up to par either. So there's a lot work that needs to be done,

Larry O'Brien:   I think across the board, whether it's medical or building automation or facilities management or what have you. There's a lot of work that needs to be done.


ISA 62443 Education and Training

Jim Frazer:    Andre, you quickly covered a couple of different areas, the standard education and training and then certification. Can you just quickly go through what assets are available today and how does someone who's interested in a domain actually source them? So, where do you get the standard number one? And number two what a training and education materials or courses are available today and which ones are forecasted for the future, as well as maybe a little bit more about the certification programs for devices and for integrators themselves.

Andre Ristaino:   Right, right. So generalized cybersecurity training, is available from the Sans Institute. They do a great organization. They do a great job. They're more specific to the ISA 62443 standards, ISA, has four or five, training classes that address the standards specifically. And they also issue certificates to personnel who, take the classes and pass the test at the end. It's not a certification like a professional designation. Its a certificate program that says you've taken the class and you understand that body of knowledge you just took. , You can go to the website where there's a lot of free material. You can download their training classes. There's books and materials also. ISA has a big publication, operation as well.

Andre Ristaino:    And, so that's the source for that. I think what's going to happen is these certificate programs are going to evolve into certifications. One of the things that I'm asked frequently is, so we have a product certification scheme. ISA Secure and, product suppliers go, OK, that's great. Do you have a class that, tells us how to use the standards for securing products? And we didn't have that.

Larry O'Brien   This is a class that vendors can take to make sure that their products can be certified. Right,

Andre Ristaino:   Right.


What is ISA Secure Certification?

Larry O'Brien:  Can you tell us about ISA Secure certification? for those that might not know because, I tell you, I see a lot of products out there in the world of smart cities, but there is, there aren't a lot of products that have any kind of indication that they've been quote-unquote cybersecurity tested. Right. There's very little mention of that out there in the world of smart cities. So maybe you could tell us a little bit about this product certification program and what that means and why that means that products are secure.

Andre Ristaino:   Yeah, so in the building industry, most people are familiar with UL standards and UL has traditionally addressed safety issues, like, capacities for, transmitting electricity without things getting hot and catching on fire and other sorts of things like that. So they have a big footprint there. And the industry in general and technology is always focused on, and this is all industries - functionality. I want a product to do new things. Nobody asks these suppliers about cybersecurity. And so it's just recently that this is bubbled up and, and everybody's scrambling. What's the right thing to do - cybersecurity's always been viewed as kind of like this black art the guy with the hoodie and, and secret sauce. And, so what the standard and our certification scheme are attempting to do is elevating cybersecurity from a black art to an engineering discipline.

Andre Ristaino:    And so the ISA 62443 standards, we use the 4-1, which is a development process, a standard, it looks at a development life, product development life cycle and, and addresses, eight practice areas to ensure that they're being used by suppliers, for securing products. If the suppliers are doing that, there is a pretty good probability, that their products are going to be more secure. They're never 100%, but, it takes you in the right direction and, it's standards-based. So, there's a level playing field. so there's the 4-1 standard. There's a 4-2 standard, which addresses security capabilities like two-factor log-ons, just functional security capabilities. And so this ISA Secure certification is an assessment of products and ensures that (a) it's under configuration control. It's addressing the 4-1 security development lifecycle requirements and B, that it assesses and confirms the security capabilities.

Andre Ristaino:  There are four levels of security, one through four, four being, this sophistication level of a nation-state level, one being just inadvertent things like self-inflicted wounds putting a contaminated USB stick in a device, that kind of thing. And then the other, the other dimension is the actual product testing. Most of the time when you talk about certifying a product, people have this vision of testing like what UL does turning up the heat until something burns or breaks. Right? And so, so the testing is, tells you something, but it's just a point in time like crash testing and it's first specific model and version and that sort of thing. So, but yeah, those are three dimensions. The assessment of the product security capabilities, the actual testing, and then, confirming that the product was developed under a secure development life cycle. So, yeah, so that's it.

Jim Frazer:     Andre you mentioned eight parameters or functional evaluation areas. Are those the three of the eight?

Andre Ristaino:    So if you looking at the security development lifecycle and I don't have all eight of the practice areas for the security development lifecycle memorized, but it addresses, the area of a secure architecture for a product. So, we would expect to see that as products developed. There's a security architecture evaluation review and design, so secure by design and then secure development and secure coding practices which is way down in the details. And then there's testing. And so there we expect to see, I think it's six categories of testing like communication, robustness testing, static or binary code analysis, storm broadcast storms, flood testing for like denial of service. And there's some other categories of testing. And then probably most important, and you don't see this with other standards, is incident response plans, communication plans, patch management plans, and so those are many of the dimensions of the practice areas that the auditors will expect to see. And they look for artifacts at these companies to ensure that, if they've declared that they had, they're conforming to these practice areas, they'll go down and look at the testing artifacts and other artifacts to confirm that they're actually following them.

Larry O'Brien  That's pretty comprehensive.

Andre Ristaino:   Yeah. So they defined software or products to characteristics so that you can do updates to a product which might be a patching of a bug, bug fixes. And then there's upgrades, which is typically something like a major release with new functionality. And so the way our program is set up is that it's assumed and confirmed that the products are under configuration control and that they have a patch management patch release and notification process. So, the end users said, yeah, we've been living with this for a long time. so if we're getting updates and patches, we can manage that. And so there's no requirement for recertification as those patches come out. But if there's a major upgrade, that means there's new functionality, well, that's a different attack surface. So, we have this maintenance certification policy that says if there's an upgrade, you have to do a reassessment of the product. It may be a partial, but not the whole thing. But if they're patches and updates, you don't have to do a reassessment. And so that makes it economically efficient for the supplier, so that they can kind of parse what, additional work they have to do to keep their certification.

Larry O'Brien    So for our end users out there in the smart cities and building automation community, has ISA Secure started to certify products in that sector as well. and, and what's out there and what's going on as far as that.

Andre Ristaino:    So, so we have pretty good, recognition in, where we started in a traditional process, industry, oil and gas, chemicals, et cetera. And in 2016, we did a study with companies that sell and support building management products. Johnson Controls, Siemens, Schneider Electric, Honeywell. There were some others and we included some end-users in the study. And our objective was we're just very conservative about saying our program ISA Secure works for anything without having, subject matter experts in that industry, do the reviews and confirm it. And that's what we did. And so as a result of that, there was a big pickup in interest from the building management suppliers space. And, we added, in addition to Honeywell, Honeywell Process systems were members and supporters and they're having product certified Schneider electric, same thing.

Andre Ristaino:    But both of those organizations have other divisions with the building management systems. And so what they ended up doing was taking what they learned from their process industry certification programs, and they had to implement their own internal, security development, life cycle processes. And get those audited. But what they did was they took what they learned in there and they transferred it like a with Honeywell to their, building technology group. And, they did it for pennies on the dollar. A lot of the same technology that's used in process industries - embedded devices, some software, other types of products go into building control products. A control system is a control system. And in the end, maybe the application interface might be slightly different, but it's the same.

Andre Ristaino:  So that's why I emphasize that the standards are designed as a technology, horizontal and applicable to a lot of sectors. So they started, they had it there. Johnson controls did an evaluation of standards and certifications. It's available for their products because they're not small, they're 30 billion a year, all building controls, services, whatever products. And, they do all the building systems for the Pentagon for instance. And so, and they do a lot of work, with the DOD and federal government as do the other ones. And so they have the DOD and federal government requirements as well. And so they are seeking a way to secure their systems standards-based that are applicable to the private sector and to the DOD and federal government in the USA. And these guys sell products globally too. So you're looking at the EU and Japan, et cetera. So that's another whole conversation.

Jim Frazer:  Andre, it's interesting that it's interesting that the standard really is application-agnostic because in our smart city domain we tend to think of a smart city is having nine verticals. And I'll just list these because I think, the standard applies to every single one that, so one is buildings and building automation, energy infrastructure, telecommunications and backhaul infrastructure, transportation and mobility, health and human services and all, all that, medical equipment, water and wastewater, infrastructure, waste management, public safety, police body cams and all of that. And payments and finance. I could see where the standard touches all nine of those major smart city verticals.

Andre Ristaino:  Pretty close. Yeah. The one area that we always beg off on is like a financial sector. They kind of got into the cybersecurity game early on and have a lot of things that, that do well, but there are some dimensions of where this could be applicable, but for sure you look at buildings, energy, telecom, transportation, hospitals, medical devices, water, and wastewater - at least half of those are our sweet spot for ISA. So we've gotten interest from, lighting manufacturers like Philips and there's an organization called, Design Lighting Corporation that does functional testing for, energy efficiency. But a lot of these organizations that serve these sectors that you're describing had functional specifications that they do certifications too, but they were missing the cybersecurity piece.

Andre Ristaino:   This is all new and everybody's scrambling. And so it's, it's a great, that ISA 62443 can work for most of them. They don't need to reinvent it. they can include a reference to ISA 62443, and getting ISA 62443 certified as part of their product certification. So, yeah, this is good. Our biggest issue is, just going to market and letting people know that this exists so they don't go out and try to rewrite it on their own. Yeah. Yeah. I don't think that would be effort. Well spent trying to rewrite a standard, that basically already existed is very comprehensive.

Jim Frazer:     At ARC as well as myself personally are very active with the Illuminating Engineering Society as we all know that, lights are becoming nodes on the IoT network in buildings outside of buildings and everywhere. and certainly, there's a great need there for cybersecurity. They're woefully lacking in that regard.

Andre Ristaino:    Yup. I can see applications there. Yeah. And there's no bad guys there. It's just that a nobody to ask for it or there wasn't a perceived need for it years ago. And so it takes five or 10 years to turn the underlying technology around in a product category. So, but yeah, there's a lot of companies they're doing a lot with the lights and light fixtures Sylvania Osram go down the list. I've talked to a lot of these companies. My biggest challenge personally was working predominantly with ISA Secure and our budgets were oriented towards building certification schemes and, enhancing those. We had a small budget for marketing and so we were getting constant calls from our members to address other things like legislation. And so I've been up to DC and presented to FERC and been in Europe I did a joint study with the EU for certification scheme there.

Andre Ristaino:  And the supplier's big concern is they want to do the right things, but they want to do it standardized and if they have a certification, they want that certificate of conformance to be recognized in the EU and the US, with the US DOD, the feds and Japan, et cetera. So that's another one for the global cybersecurity Alliance. We're not a lobbying organization, but what we want to do is be an active participant and ombudsman and who try to stitch these groups together to, keep them, to harmonize these requirements and certification schemes.


ISA's Global Cybersecurity Alliance

Jim Frazer:    Andre, can you, I don't know if we went in-depth on the Global Cybersecurity Alliance. How was it founded? How many members are there? how does, how does one get involved?

Andre Ristaino:   So, I would say probably for about the last three years, members of the security compliance Institute, poked at me and said, Hey, there were a lot of things that ISA should be doing. And, you could do more. You're the perfect place. You're an independent, not for profit. you don't have an ax to grind, so you could be the place to organize. And so, why don't you guys go do this thing? And I was thinking myopically about ISA Secure. I'm like, well, we don't have much of a budget. You guys are billion-dollar companies we need you all to help do this. So finally there was some discussion and one of the suppliers pushed hard and said, look, let's, let's start a new Alliance then and, and put bigger money into it.

Andre Ristaino:    And so, that was discussed. And then internally at ISA, we, we looked at it and I became involved because I'm running the consortia and we stood, okay, we think we can stand this up. And, the timing is good for it and there's an appetite. So, we put together a structure and the usual PowerPoints and talked to a number of suppliers and everybody was really positive as so we said, okay, we're gonna run with this. And, so a few weeks later we made an announcement. There were a number of suppliers who were early thought leaders that, thought it was a good idea. And so we worked with them and, they helped shape what this thing looks like. And, so the early adopters, if you will, are Honeywell, Johnson Controls, Rockwell Automation, Schneider Electric, major suppliers, and then a couple of cybersecurity technology suppliers. And, so that was the kickoff. And so we announced it and, we're actively recruitingL and we're having continued success periodically. Maybe once a month we'll announce new members, but it's a who's who.

Larry O'Brien  The membership has not been restricted to just vendors, right? Andre?

Andre Ristaino:  No so we recognized early that, having a balanced representation of stakeholder groups was important. So, we talked to the suppliers first. and we're talking to end-users now. Obviously I'm gonna go back and talk. I've already presented this to some of the big oil companies that are our ISA Secure members and there's genuine interest and just to demonstrate how much interest there is. So for instance, our board members with a ISA secure paying $50,000 a year as a board-level member and a Global Cybersecurity Alliance, the top-level founding members, they're going to commit to $500,000 over a three year period. So like 250,000 the first year in 125,000 each year thereafter for forever, for as long as we exist.

Andre Ristaino:    And a lot of them are paying both. And, at first I was surprised. Then I stepped back and looked at it. I said, well people don't just spend money like that. If they don't think they're getting value. So, the fact that companies are signing up for both of these things, that's a validation that there's some value in this and that they feel good about the money spent. And so, to become a member or anybody can become a member. We're mainly looking for companies. We're not looking for individual members like ISA, that's an individual membership society. And so, we're looking for companies who can provide funding and resources obviously, and, we're going to continue to recruit. So the big stakeholder groups that we look for is, the suppliers and users and asset owners facility owners, and, technology providers in cybersecurity.

Andre Ristaino:  And then the mainstream, IT providers cause they're part of this whole puzzle too. So you look at the IBMs, the Microsofts, the Googles. If You go to a process industry, you don't see a control system that's not using either a Linux or a Microsoft workstation.Right. And so the Ciscos and networking component providers. So everybody that's in the value chain, whether you're a supplier or an integrator, that's the other group, the integrators,. The consultants, cities that are doing, consulting and assessments and that sort of thing. And, the other group that we're extremely interested in are insurance companies, they've been struggling to find objective underwriting standards, for a number of years now.

Andre Ristaino:   I mean, four, three, four years ago I was part of a DHS committee, CIDAWG. Yeah. They have a good acronyms. And so they were trying to cobble together a big giant database that they could query to, do some analytics on, insurance underwriting, like, people, process and technology, which is most important, et cetera. And so I participated for a while, but, I also have a background in IT, I asked them specific questions, are you trying to answer? Because if you don't know what they are, you can put a database together that can't be queried to answer the questions that you want. And they didn't really know. So I kinda just faded out of it cause I didn't see that their approach was broken and their hearts were in the right place, but the approach wasn't.

Andre Ristaino:   And so, but that's a problem that we want to solve. But if you have standards, if you can certify it to a standard, then that means you can measure and you start out with maybe some imperfect measures, but this whole thing's going to take the same trajectory as, the safety world. when safety standards first came out, people were like, Oh, no, safety is squishy. You can't codify it. You can't measure it. Well, today there are mathematical formulas. Right. Right. And, so we are trying to move this whole cybersecurity thing from black art into an engineering discipline.

Larry O'Brien  Yeah. Something that's measurable and improved.

Jim Frazer:    Andre, I'm impressed that, that it's not just a vendor-driven initiative that you do have your balanced stakeholder communities.

Andre Ristaino:   We have a lot of people who have their fingers in the pie and, push this thing along and there's, it's not me. there were a lot of really, really good people that are, rolling up their sleeves and, making some things happen. So that's good to hear. Yeah.

Larry O'Brien    So, Andre, if I'm an end-user owner-operator, where do I go? what are some of the resources? How do I get started? maybe give us a brief list of places we can go to find out more on GCA, a GCA on ISA secure, and just ISA.


How to Learn More About ISA 62443

Andre Ristaino:    If anybody wants to know what's available, they can they just send me an email. and I'll personally take care of, direct them on to the resources depending on what their immediate question is. There's always an immediate question, then there's the rest of it, right. And so I'll try to answer the immediate question and then give a briefing on what else is available. ISA offers training and education and books. So if you go to you can see what resources are available off that website. And that also has links to the ISA website. If you have companies that are only interested in certification ISA, a company's interested in the GCA, they can contact me directly and I'll send them the prospectus and the membership application and we will set up a teleconference to brief them and their teams on what we're doing and how they can participate. 'Cause there's something for everybody in the GCA. It can be technical, you can do white papers participate in and government and regulatory dimension of it, which I think is extremely important. There's still so many ways to participate, okay.


Larry O'Brien How would we get in touch with you, Audre? You said we could get in touch with you

Andre Ristaino:   that, feel free to share all my contact information, my email address: My office phone number is area code (919) 990-9222. Okay. So hopefully you get a ton of phone calls after this podcast. I really think this is this been a great interview. We really want to try and raise awareness of what ISA is doing especially through the GCA and a lot of the resources that you already have out there as far as certification and training and everything else. We're kinda getting near the end. Is there anything else we want to cover here before we sort of wrap things up?


NEMA and the ISA Working on Cybersecurity

Andre Ristaino: We're doing a lot of stuff. A new project is, I'm working with the National Electrical Manufacturers Association, NEMA, and, we were prompted by the US Department of Defense to stand up, an industry-led certification scheme for facilities. And that would be commercial office buildings. it can be military bases, fuel depots go down the list, right. This is not DOD sponsored. It's DOD inspired. They published a set of what they called unified facility controls, which are their cybersecurity standards. And it's used by the DOD and federal office buildings. And, so all the federal properties need to comply with it. Well, they did the math.


Andre Ristaino:   The feds, the US government DOD owns $1 trillion of real estate, more than 500,000 buildings. And I don't know how many millions and millions of square feet of space. And they said, okay, all that needs to be secured. We've got our rules, but we didn't get funded for an audit function. They have no way to audit. So it's like IRS rules without the IRS to enforce it, right? So they said, well, what do we do? And so they wanted something industry led and the industry wants it. I've been at multiple meetings and all the suppliers are saying, line up this certification scheme for facilities, for building management systems at these facilities was ISA 62443 - We spent 10 years investing in them and they're good. Let's go with that. And so we're working on that. All the suppliers are on board and we're putting together a presentation for commercial and corporate real estate owners like CB Richard Ellis, Wells Fargo, Boston properties go down the list.

Andre Ristaino:  And so we're gonna tee up that group and we're going to present it and, see what their level of interest is. And, if they're, if they say, yeah, this makes sense, then we're going to stand this up like the LEED program. And so it'll be industry led and if it's successful and the industry gets on board with it, overtime, if you fast forward 10 years from now, likely it'll end up being a reference certification - similar to LEED program certifications now that you have County and municipalities putting LEED required requirements, which is a private certification into their regular, into their procurement specs. Right. And so that's where this could land. That's, that's where they would like to see Atlanta. And then the federal government and the DOD would say, look, just go with this ISA 62443 building management system, certification scheme. And so that's, that's new. That sounds real. Needless to say, I'm busier and busier in a one armed paper hanger with poison Ivy.

Larry O'Brien   Well, Hey, we'd love to have you back to talk about that in more detail, as you progress, maybe we'll have you and NEMA come on. Tell us about what you guys are doing.

Andre Ristaino:  Great. Yeah. Yeah, we're our next meeting on the next six weeks or so. So, in the next 60 days, we'll probably have more, concrete, direction on that.

Larry O'Brien  Sounds good. Great. Well, well, Andre, thank you very much for your time. This has been very instructive and enlightening and, we're very happy to had you. Thanks. Yeah, thanks very much, Andre. Thank you

Engage with ARC Advisory Group