Cyber security raises several new challenges for industrial stakeholders that must be addressed through all stages of a system’s lifecycle. Fundamentally, we don’t know where attackers are and we don’t have real-time situational awareness of our networks, or the ability to take action on them. This situation is exacerbated by the increasing complexity of industrial control, automation and safety system operations, increased need for connectivity (optimization, remote operations), rapidly changing technologies, and taxonomy of persistent threats.

The automation community has long struggled with how to “build in” the weapons to hunt inside our control networks for malicious agents to block or destroy them. The lack of a common framework has produced a tower of standards babble that is difficult at best to understand let alone implement.

To address this issue, leading industrial stakeholders such as Shell, BP, Invensys, and Honeywell, in cooperation with a consortium of leading end-user organizations and operators called the International Instrument Users Association (WIB), led an initiative to establish a coherent, simple, out-of-the-box solution to build and support security mechanisms in the products and services used in today’s control systems.

The objective was to create a set of requirements and an associated certification program for suppliers to follow in order to improve the quality of their cyber security processes and practices throughout the entire lifecycle of an industrial system. In simple terms, the requirements address all applicable processes embodied in organizational practices, product and service development, testing and commissioning for turn-over to the operator for operations, and maintenance and support through-out the life time of the control system. These requirements are becoming part of the procurement language accepting delivery of a secure process control system.

Requirements for Vendors V2.0

Download PDF

Example Contributing Members
Shell BP Saudi Aramco Electrabel DSM Wintershell NICC Invensys Honeywell Sabic	Akzo Nobel Heineken Waternet Dow Dupont ABB Hima CPNI Wurldtech

Achilles Practices Certification Program Overview

Based on WIB’s security framework requirements, Wurldtech expanded our internationally recognized AchillesTM certification brand and developed a comprehensive program to proactively and independently certify that Vendor’s policies and practices are enabled to build security into their products and services. The program is called Achilles Practices Certification (APC).

APC is designed to be a valued-added program tailored to the needs of the end-user – the system owner/operator. Such tailoring reflects the unique requirements for a specific sector in the critical infrastructure; petro-chemical, energy including smart grid, transportation, pharmaceutical, chemical etc. Tailoring also scales with the complexity of the application and includes provisions for security future proofing to mitigate the evolving threat landscape.

The APC program is divided into four distinct categories reflecting the industrial product lifecycle and various stages of cyber security ownership:

1. Organization

• Focuses on security governance, policies and procedures.

2. System Capability

• Focuses on security functions that are designed into the Vendor’s system, as well as compensating security functions used to protect Vendor system components and subsystems which do not have built-in security capabilities.

3. Commissioning & Testing

• Focuses on demonstrating correct implementation of security functions built into the Vendor’s system and on readiness of system turnover for operation by the Principal or selected Operator.

4. Maintenance & Support

• focuses on demonstrating correct maintenance of security functions built into the Vendor’s system and on timely support in response to security related events.

Three Levels of Certification Available for Vendors

Levels of Certification
	Gold Level Certification A set of 272 requirements and requirement enhancements which verify a complete set of applicable policies and practices are in place, enabled and practiced to monitor and track performance of the Vendor’s security mechanisms and improve those mechanisms through adequately planned and resourced improvement programs.
	Silver Level Certification A set of 212 requirements and requirement enhancements which verify an extended set of applicable policies and practices, are in place, enabled and practiced to enhance the security mechanism built in the Vendor’s product and services.
	Bronze Level Certification A set of 148 requirements and requirement enhancements which verify a core set of applicable policies and practices are in place, enabled and practiced to build security in the Vendor’s products and services.

Documentation

A Vendor applying for certification is provided the following five documents:

1. APC Program Description

• Describes the program from start to finish. An annex in the program description contains a list of frequently asked questions and answers.
• Download here

2. WIB Vendor Requirements Framework

• Describes the security requirements for Bronze, Silver and Gold certification.
• Download here

3. APC Program Vendor Submittal

• Describes the minimum required evidence for each process area and base practice. Also, examples are provided as a guide for the Vendor to properly gather and document the data to support the warrant.
• Download here

4. APC Program Vendor Appraisal

• Describes the procedure and rules used by Wurldtech to assess the Vendor’s submittal, request supporting evidence for audit, assign remedial action, and grade each MRE as a Pass or Fail.
• Download here

5. APC Program Vendor Workbook

• The self assessment questionnaire for the Vendor to collect all responses and statements regarding the applicable Base Practices and Evidence Requirements.
• Request here

back to top