ISA99 Stuxnet Gap Assessment – Why It’s Important

Last week the International Society of Automation (ISA) announced that a new committee, ISA99 WG5 TG2, has been struck to conduct a gap analysis of the current ANSI/ISA-99 standards with respect to Stuxnet. The goal is to determine if companies following the standards would have been protected from advanced persistent threats (APTs) such as Stuxnet. If not, then the committee will identify what changes are needed.

I have been asked to Chair the committee and I am writing today to let you know about its work, to explain why it is important, and to ask for your participation.

ANSI/ISA99 Standards

The ANSI/ISA99 Standards address the subject of cyber security for industrial automation and control systems. The standards describe the basic concepts and models related to cyber security, as well as the elements contained in a cyber security management system for use in the industrial automation and control systems environment. They also provide guidance on how to meet the requirements described for each element.

Why the ISA99 WG5 TG2 Committee is Important

The ANSI/ISA99 standards provide the base documents for the ISO/IEC standards in industrial control security, known as IEC-62443. Over the next few years, these standards will become the core standards for SCADA and process control security worldwide.

In a nutshell, if you or your organization wants to make sure that by following international standards to the letter that you will be able to stop something like the next Stuxnet, then the work of this committee is vital.

How to Participate

The committee is open to all ISA99 members and cyber security subject matter experts. If you are interested, please contact me at

The committee has its first teleconference next week, and we are aiming to produce a report of our analysis by mid-2011.

Related Links


Subscribe to the "Practical SCADA Security" news feed

Add new comment