“Expertise doesn’t recognize national boundaries”: A conversation with ISA’s Eric Cosman
David Wagman | January 02, 2020Founded in 1945, the International Society of Automation (ISA) celebrates its 75th anniversary in 2020.
The ISA is a leading, global, nonprofit organization with more than 40,000 members. Its principal work includes developing standards, certifying industry professionals, providing education and training, publishing books and technical articles, and hosting conferences and exhibitions for automation professionals. As it celebrates its 75th anniversary in 2020, the society is committed to celebrating and building on its legacy of leading automation into the future.
Eric C. Cosman, a chemical engineer with more than 35 years of experience in the process industries, will be the ISA president during its anniversary year. He has been a member of ISA for over 25 years, serving in several leadership roles. Cosman has been a leader in the development of standards and practices for industrial control systems security since 2002. He was a founding member of a Chemical Sector Cyber Security Program team focused on industrial control systems cyber security, and was one of the authors of the Chemical Sector Cyber Security Strategy for the U.S.
He is also a founding member and currently serves as the co-chair of the ISA99 committee on industrial automation and control systems (IACS) security. The group developed the series of automation cybersecurity standards known as ISA/IEC 62443, which serves as the foundation for the recently unveiled ISA Global Cybersecurity Alliance. That alliance brings organizations together to develop cybersecurity solutions for industries worldwide.
On the eve of his taking on the ISA senior leadership role, Cosman spoke with Engineering360 Editorial Director David Wagman on issues related to automation and standards setting, as well as plans for ISA’s 75th anniversary.
Engineering360: Technology innovation has been with us a long time. What makes the current pace of innovation, development, deployment and obsolescence different and how do those factors impact standards setting?
Eric Cosman: Members of our profession have often complained about or observed — that may be a more neutral term — the fact that technology change is fast. One of my early mentors told me "well, you’re working in the chemical industry where we build plants to last 30 years and you are working with technology that has a half-life of 18 months." So that’s the definition of stress!
I think what makes it different now is that, along with the pace of technology change, we’re seeing convergence; an intrusion of technologies. We’re seeing commodity technology now being used in industries that are used to having a very deliberate, thoughtful, well-organized approach to technology implementation. When ISA was founded in 1945 the focus was on instrumentation and measurement. Today an automation professional must deal with a much wider range of technologies.
Just look at your phone. We don’t plan updates to our phone anymore; the updates just happen. That kind of change gives industrial users of technology the heebee jeebies. It’s like “how could you possibly do that?” Updates have to be planned and the implications have got to be mapped out to decide whether you make the update. But you can’t really deal with a particular area of technology in isolation anymore; they’re all so heavily intertwined.
Engineering360: How does that environment impact standards setting?
Cosman: Standards setting is codifying commonly accepted engineering practice and putting it in a form that people can refer to. Good standards are based on experience, and when technology is coming at you so fast it’s very difficult to attain and sustain that experience. Standards committees or standards bodies like IEEE and ISA are now having to almost set standards in an anticipatory way.
In ISA we are working with IEC (the International Electrotechnical Commission) on a nominal maturity date for a standard of five years. We’re seeing that, often, you can’t wait five years. That puts pressure on a standards development organization that is largely based on volunteer labor. It makes it hard to find the right people with the right experience with the time available to contribute their expertise. It puts more pressure on everybody.
Engineering360: Could you offer an example or two to illustrate that challenge?
Cosman: One example in the ISA is the field wireless standards, ISA100. That committee basically set a standard based on suppliers’ positions and anticipations of where the technology was going. When you get into that kind of situation you invariably get into competitive arguments where Vendor A believes this and Vendor B believes that. It makes it very challenging to manage that kind of process.
The other example, of course, is the cybersecurity standards, which is the subcommittee that I chair. We have a work group within ISA99, Work Group 9, which was chartered to look at the industrial internet of things (IIoT), and to answer a fundamental question: What does this emerging and developing technology have in terms of implications — if any — for industrial cybersecurity. How does it change the game?
That work group is currently working on that problem, and it will produce a report to the committee leadership. Based on the results of that report we’ll decide if we need to open the standards that we’ve already approved and published and revise them earlier than we had anticipated.
It's probably not preferred for standards committees to get too far ahead of the curve because then they can be accused of trying to drive the technology adoption. But at the same time, they just can’t wait for everything to settle.
Engineering360: Given the hyper-speed of technology innovation, how can standards developing organizations (SDOs) make the most efficient use of emerging technologies such as artificial intelligence and blockchain automation?
Cosman: Several years ago, we recognized that the field of automation was changing. So was the definition of what an automation professional is faced with. We formed a technology search committee to respond to advise our standards and practices department and our executive board. It serves as the collection point for submissions by anyone who has an idea about a potentially disruptive or contributing technology might change how we approach automation.
The committee takes those submissions, defines the technology by working with the submitter to see exactly what they were talking about, and conducts the research to answer the question, why is this relevant to automation and, if it is relevant, how is it relevant? Then they take those recommendations back to the Standards and Practices and Executive Boards.
It’s a way of making sure that our portfolio of standards continues to be timely, relevant and appropriate for what an automation engineer needs to do today. In addition to being a standards development organization we are, just like IEEE, a professional society. We serve a profession — in this case automation professionals — and we try to keep in mind that we are here to serve them and make the practice of their profession better and more effective.
Engineering360: These same technologies can present new risks related to cybersecurity. What efforts are currently under way to effectively address cybersecurity concerns?
Cosman: The ISA99 committee has developed a series of standards that have the nomenclature 62443. These standards are published simultaneously by ISA as U.S. national standards, as well as by the International Electrotechnical Commission as IEC 62443 standards.
In 2002 we brought a bunch of people together in Chicago, and we discussed two alternative approaches. We could either charge our existing committees in areas like alarm management, batch automation and enterprise integration and so on, to assess the implications of cybersecurity on their respective standards, or, we could form a new committee to look at cybersecurity as it cuts across all of those; a so-called horizontal standard, if you will.
We chose the second option and that was the birth of the ISA99 committee. Naively, as it turns out, when we first formed the committee, we looked at the problem and thought “OK, we can probably address this with a couple of standards and maybe a couple of supporting technical reports.” We laid out a map that had two standards and two technical reports. As of today, we have 14 documents in the series.
We’ve learned that it’s a much more complex subject than we thought. We originally looked at it from a technology perspective, but soon realized that it is a combination of people, process and technology. Our standards address everything from conception of product to development and delivery of product by the supplier to integration of product into a real-world environment to operations, maintenance and, ultimately, retirement and replacement.
It’s broad in terms of life cycle and broad in terms of the roles addressed and that’s why we ended up with 14 reports. The IIOT effort might result in a 15th part with a technical report on that subject.
Engineering360: Does the work involved in standards setting for cybersecurity follow the usual process or is it different in some way?
Cosman: The processes and the procedures that we follow are exactly the same: We use an ANSI-accredited consensus-based development process and we are audited by ANSI.
What makes cybersecurity different is it is ubiquitous; it cuts across everything. I would say that of all the committees in ISA, we probably have many more liaison relationships than any other committee.
This is where we are distinctly different from the other ISA committees. Typically, with the other committees like batch management or procedural automation, ISA develops a standard which may or may not be similar to work that is done at IEC. But if IEC develops a standard or ISA develops a standard, they offer it to the other for consideration and for adoption.
In the case of cybersecurity, we have a very strong liaison relationship with IEC Technical Committee 65, working group 10. We do most of the heavy lifting in the ISA99 committee and those standards are submitted to both ISA and IEC simultaneously, or as close to simultaneous as we can get because IEC processes have different timelines.
The outcome is that when they emerge as a fully approved standard, they will come out as an ANSI/ISA standard and IEC international standard almost at the same time. It presents challenges, obviously, because there are cultural and procedural challenges. Getting two independent standards development organizations to work closely like that is not without its difficulty.
Engineering360: Given the global supply chain and the fact that technology innovation is not limited geographically, are there practices that an SDO can follow to better ensure conformity and harmonization across technologies?
Cosman: The first is to get as broad an involvement as you can. Even though ISA is a U.S.-based company, the I in ISA stands for international and we serve the automation profession regardless of where it is practiced around the world.
The technology is one thing, but you just never know where the practices are going to come from. One of the hotbeds of industrial cybersecurity technology practice and development in the last decade or more has been in Israel. So, you have to avail yourself of that information or you may not be getting the very best available. Expertise doesn’t recognize national boundaries.
Engineering360: What plans are under way to mark the ISA 75th anniversary in 2020?
Cosman: Our plan is to raise awareness of the profession. We want to reach out to more people who aren’t in the automation profession and explain to them why automation as a profession is important to their lives. We will be highlighting major technical advances in automation throughout our first 75 years and looking to how automation will impact our lives in the future. In the course of doing that we may attract more young people to the profession, which is always a good thing.
To our society members and to people already in the profession, we use the term “home of automation.” We want to be your home where you can come to learn from people and be a coach and mentor to people so you can become better and more effective and more successful professional.
We want to celebrate our past and look to where automation is going. We think that future is bright. The prevalence and ubiquity of technology now means everything from having a Google phone or Nest thermostat to heavy industrial automation to aeronautics and all kinds of places. It’s a rich area for people who are interested in that kind of technology.