Electrical contractors plunging deeper into the security market need to pay as close attention to the standards involved in security systems and attendant technologies as they do to the National Electrical Code (NEC).
In July 2013, BICSI, Tampa, Fla., released ANSI/BICSI 005 2013, Electronic Safety and Security (ESS) System Design Implementation Best Practices, to begin addressing the convergence of ESS devices onto the traditional network. Why? Well, by 2008, people realized that computer, telecommunications, process control and security systems were converging on the network. However, little had been written to support this convergence of security systems and the cabling infrastructure. BICSI 005 bridges the two worlds of security and communications by providing a set of requirements and recommendations for the cabling infrastructure that both security and telecommunication/network personnel can follow.
According to BISCI, the standard provides a minimum set of cabling/infrastructure requirements, as well as additional recommendations and information, which may be applicable to a specific site or scenario. In addition, the standard covers traditional installation and testing methods that are no longer practical and that require modification when ESS devices are directly connected to the network and not to a wall outlet.
BICSI 005 does not document the totality of either network or security system design but rather provides the necessary information concerning what needs to occur when one places an ESS system on the network. For electrical contractors, who already have tackled these types of systems (like telecommunication installers), the standard provides the basic information they need when involved with ESS systems that are using the network and helps round out their security knowledge.
The ISA-62443 series of standards, being developed by the ISA99 committee of the International Society of Automation (ISA) and adopted globally by the International Electrotechnical Commission (IEC), is designed to provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems.
In August 2013, ISA-62443-3-3 2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels, was released. The standard provides detailed technical control system requirements associated with the seven foundational requirements as described in ISA-62443-1-1, including defining the requirements for control system capability security levels.
According to Jeff Potter, director, security architecture at Emerson Process Management, Eden Prairie, Minn., the standard was developed to provide the technical controls deemed necessary to ensure industrial control system security at the system level.
“Other parts of the ISA-62443 series cover the associated management of a security program, risk assessment, patching guidance, product development requirements, metrics and so on,” he said.
With this standard, product suppliers, integrators, asset owners, service providers and regulators benefit from having common expectations concerning system capabilities.
“Different industries and locations may have different perceived requirements for security levels based largely upon risk or regulatory compliance, and the ISA-62443 series recognizes and supports these differences,” Potter said.
In addition, the standard provides electrical contractors with a better idea of what their customers’ expectations are likely to be, particularly in an industrial environment.
“Since the security space is continually evolving, the standards will have to evolve as well, including the development of associated compliance standards,” Potter said.
ISO/IEC 27001 and 27002
ISO/IEC 27001 and ISO/IEC 27002 are not exactly codes but are process-based, high-level standards. Both standards were originally issued in 2005 and most recently revised in fall 2013. ISO/IEC 27001 provides a set of information security management requirements to which conformance can be validated and certified. ISO/IEC 27002 provides guidance on implementing information security controls that are required by ISO/IEC 27001.
“Both standards apply to any context and not to an individual application,” said Nadya Bartol, CISSP, CGEIT, senior cybersecurity strategist for the Utilities Telecom Council, Washington, D.C.
They are relevant to organizations that depend on information, including commercial enterprises of all sizes; not-for-profits; charities; government agencies; or banks, utilities and hospitals. Both standards were originally developed to standardize information security processes and practices.
“Information security was a growing concern for enterprises, but, at that point in time, there was no organized way of addressing these issues,” Bartol said.
ISO/IEC 27001 provides a process for enterprises to address information security through conducting risk assessments and identifying and implementing risk treatments in their environment. ISO/IEC 27002 covers security controls, including access control, communications security, physical security, network security, and supplier management.
Electrical contractors, according to Bartol, need to have a general knowledge of these standards to articulate their understanding of their data center customers’ need for data, information protection, and the protection of the physical infrastructure.
“Having the trusted people on staff that have a general understanding of the information security will enable the contractor to better position itself in the market,” she said.