ISA At Work In The Manufacturing Sector

The Department of Homeland Security is designated at the Sector-Specific Agency for the Criticial Manufacturing Sector.  ISA Member, National Association of Manufacturers (NAM) represent this sector.

The National Association of Manufacturers (NAM) is an advocacy group headquartered in Washington, D.C., United States, with 10 additional offices across the country. It is the nation’s largest manufacturing industrial trade association, representing 11,000 small and large manufacturing companies in every industrial sector and in all 50 states.

LtoR: Former Chair of the House Intelligence Committee Dave McCurdy (D-OK) with ISA Board Member and Past National Association of Manufacturers (NAM) President Gov. John Engler.
In order to sustain double digit growth, certain nations have resorted to cyber theft as a national policy. Manufacturers, in particular, are in the cross-hairs. This realization has led many manufacturers, including the National Association of Manufacturers, to join the ISA to help create a sustainable system of cybersecurity. Under their leadership, ISA has developed a series of advocacy, thought leadership, and security programs that specifically address manufacturing concerns.

Securing the Electronics Hardware Supply Chain

Faced with a different set of potential adversaries, ISA’s aerospace and defense manufacturing members initiated a unique supply chain program in collaboration with the Carnegie Mellon University that focused on securing electronics hardware and firmware from supply chain intrusions. These manufacturing companies recognized that while inserting malicious hardware and firmware into the supply chain would be more time-consuming and costly, some of their adversaries (i.e., nation-states) have a bottomless account and are “in it for the long game.” These companies further recognized that while such an injection attack may only succeed once, if the compromise was in a SCADA or weapons system, the results could be catastrophic.

LtoR: ISA Board Member Brian Raymond of NAM with Asst. DHS Sec. Mike Locatis and ISA President Larry Clinton at recent ISA Board Meeting, held at NAM’s headquarters.

So starting in 2006, ISA and CMU ISA launched the industry’s first integrated supply chain program analyzing the complex problems of managing the IT supply chain on a global basis to assure the security of hardware products and services. In 2008, ISA released its resulting supply chain framework document, which was subsequently cited in President Obama’s signature document on cyber security: “The Cyberspace Policy Review” (2009).

A series of nationwide workshops followed, helping to create a clear, specific and detailed set of instructions for managing the IT supply chain in a secure, but economic, fashion. 60+ pages in length, these instructions (or guidelines) will be released shortly on ISA’s website following Board approval.

LtoR: Former DHS Sec. Mike Chertoff with ISA Board Member Gene Fredriksen of Tyco at recent ISA Board Meeting and Salon Dinner.

Combating The Advanced Persistent Threat (APT) in the Manufacturing Industry

Over the past few years, ISA’s manufacturing members noticed a shift in attack tactics, with adversaries now targeting these members’ smaller partners utilizing more sophisticated, APT-style attacks. To combat this shift, Jeff Brown of Raytheon, Tom Kelly of Boeing, and Rick Howard of Verisign stood up the ISA APT program in 2011 to leverage the industry’s expertise and develop a set of publishable, cost-effective best practices that these smaller partner companies can use to help mitigate against such attacks.

With NAM’s collaboration, ISA has recently field tested this document with its target audience: manufacturers with either zero on-staff IT professionals, 1-10 IT professionals, and greater than 10 IT professionals. This program is currently ongoing, with a publication expected in Q4 2012.


Starting in 2006, the ISA began its program on the Financial Management of Cyber Risk. Three highly acclaimed publications later, ISA has now entered its fourth phase of this program, seeking to analyze and benchmark enterprise risk management in three specific sectors, Aerospace and Defense, IT, and Financial Services, with specific reference to the effect of the SEC’s recent advisory on considering cyber security as a material risk.

This fourth phase kicked off in late June 2012 with the first of a series of workshops. Held at the National Association of Manufacturers in Washington, D.C., and in collaboration with ISA channel partner the Aerospace Industries Association, this first workshop examined the enterprise risk management practices of several leading aerospace and defense firms. Two other workshops are scheduled for late summer in Silicon Valley, California, and in late fall in New York City.


Leave a Reply