Today marks another milestone for the Achilles Certification program with the announcement of the 16th Achilles-certified control system, this time from Honeywell Process Solutions.

The Experion® Safety Manager is the second control system from Honeywell to meet the Level one criteria, along with the Experion® PKS C300 Process Controller, and joins a long series of certified products that have made the Achilles Certified designation the standard for cyber security certification in the industrial automation industry. The certification was performed by exida, a global leader in functional safety and security products and services, and accredited Wurldtech certification partner.

This falls on the heels of our recent announcement of the latest version of the Triconex Trident (V 2.1.1) from Invensys Operations Management to achieve certification. Read more here.

2010 will be a very exciting year for the Achilles certification team with exciting new product announcements, program expansions, and partnerships scheduled for the next few weeks. We look forward to continuing to build the Achilles Certified brand as the defacto industrial cyber security standard and evolving our program to meet the evolving needs of critical infrastructure stakeholders worldwide.

The International Instrumentation Users Association (WIB) has invited Mr. Williams to join executives and SME’s from organizations such as NICC, Shell and McAfee to share industry experiences in the hopes of helping end-user stakeholders make more effective business decisions to improve the security & reliability of critical industrial control and smart grid infrastructure deployments.

During the meeting, Mr. Williams and Ted Angevaare from Shell, will formally announce the introduction of the Achilles Cyber Security Best Practices Certification program - which we are currently piloting with selected vendors so stay tuned for more information.

The seminar will be held on March 18, 2010 in The Hague and if you are overseas and interested in attending, the information can be found here.

In my last post, I discussed the importance of checking the versions of the devices, systems, and applications that are being sold as Achilles Certified, as the certification designation is tied to a specific version number. Given the amount of recent requests from end-users about who is certified, and the fact that we are still a few weeks away from our new website which will contain a complete database of certified products, I thought I would show a list of the certified devices here:

Embedded Controllers

In addition to the above embedded devices, we have also certified one software component: MatrikonOPC’s MatrikonOPC Server for Triconex Tricon and Trident, version 4.2.0.0.

If you have any questions, please contact me directly at kyoo at wurldtech.com and stay tuned for more certification announcements over the next few weeks, including the first certified:

• Host based device
• Real-time operating system
• Vendor for industrial cyber security best practices

As we near the second year anniversary of the official launch of our Achilles industrial cyber security certification program, and prepare to launch some major new program initiatives, I thought a small polemic that attempts to:

1. Dispel a few common misconception about cyber security certification and;
2. Highlights a few examples of industrial stakeholders who are embracing cyber security as a functional process and providing the shoulders for the rest of the industry to stand on.

would adequately stimulate the discourse in the industrial cyber security community and start the year off with some fodder for conversation.

There are two common misconceptions in the market that we see today:

1. There are no current cyber security standards or benchmarks for suppliers to follow from which to guide the development of secure industrial control, SCADA and Smart grid devices, systems and applications.
2. Equipment manufacturers of control systems are not taking the robustness of their systems seriously

These are both simply not true.

This first misconception is often less of a misconception but rather a “head in the sand” assumption that often stems from vested public / private sector interests and unfortunately results in stultified progress. This is not ideal, cost-effective and most importantly does not improve the resilience of the digital infrastructure – which should be our goal no?

In fact, this is exactly why we created the Achilles cyber security certification program to begin with - and today, many of the largest suppliers in the world have invested the time and money to get their products tested and certified. For example:

By certifying our product portfolio and integrating the Achilles testing platform into our internal product development lifecycle, IPS continues to ensure that our global clients receive the highest level of ongoing security assurance to improve the overall reliability of their business operations.”

Moreover, many end-users have done their diligence and integrated the Achilles certification program requirements into their procurement documents and now insist on Achilles certified products. For example:

Achilles level 1 certification saves Shell a lot of time in the specification and procurement process and ensures purchasing process control equipment from Vendors that have a truly integral security attitude both in production and service”

Where does this misconception come from?

This misconception is often a result of, and reinforced by, an undereducated industrial cyber security community who either misunderstand the economics of risk and incentives or have a clear vested interest in a competing program or government funding – which although certainly understandable in a competitive market, still disrupts progress. Until this is fixed, we can never achieve functional security.

For example, many folks still say “the Achilles certification program is private” and “we need a public standard instead”….well yes, indeed, the Achilles program is a private benchmark and yes, we certainly do need a public standard but lets make sure we realize that practical, realistic, and functional standards take years. See ISA SP84 into IEC 61508 and in the meantime vulnerabilities go unmitigated and risks continue to increase.

How do we fix this?

A few suggestions:

1. Reduce the amount of tax payer money being spend on public sector research to re-invent the wheel and government consulting services that compete with private sector and instead promote information sharing and widespread adoption of private sector programs that are functional and work.
2. Increase government and corporate research investment in programs that encourage the completion of an international standard instead of relying on unpaid, unfocused, asymmetric regional working groups and vendor-driven standards bodies.
3. Leverage 100 years of economic understanding and incentivize stakeholders who do make investments in security, improving the ROI for security improvements by positively influencing commercial behavior instead of regulating it.
4. Give credit to, promote and reward the companies and individuals that have already taken the leadership role and made a difference in the security and reliability of their systems today to encourage greater adoption.

The second misconception can be dispelled with a simple example. Invensys Operations Management, one of the world’s largest manufacturers of industrial control systems, is a great example for other suppliers to follow.

1. Industry leadership, standards participation and security culture: Invensys has consistent senior management representation at global security conferences, participation in many of the world’s leading international standards groups and has a strong culture of security throughout their organization.
   
2. Integrated proactive robustness testing: Invensys has made significant investments in products such as our Achilles Satellite robustness testing platform and integrated security testing best practices throughout their entire development process.
   
3. Certified product portfolio: Invensys has made a corporate decision to certify their entire control product portfolio including the Triconex Trident, Foxboro I/A Series.

Thankfully, end-users such as Shell, and vendors like Invensys, are not the only examples of industrial organizations investing in security - but they certainly are not the norm just yet. The important things to remember here are:

• End-users: There are simple things you can do to ensure that the systems you select are robust right from the factory floor. The first, and easiest, action you can take is to insist on and select only systems that have achieved an Achilles certified designation – but remember to check the version #’s!
  
• Equipment Manufacturers: There is no question that cyber security testing and certification requirements will end up as part of your product development process in the near future, either from customer demands, government regulations, or international standards requirements, so the time is now to get started. Moreover, getting certified is a great first step, but remember, to make it truly functional you must integrate the process into your development culture and throughout your product portfolio.

I hope this entry stimulates thought and provides some useful information for critical infrastructure stakeholders and look forward to seeing more organizations following the leaders and embracing security testing and certification as an easy way of reducing unnecessary risk to industrial operations.

Each spring, security experts from all over the world converge on the Moscone centre in San Francisco to discuss the global cyber security zeitgeist at RSA.

Although RSA is mainly focused on Enterprise/IT security, the security, reliability and resilience of the digital networks that comprise the backbone of our national/global critical infrastructures, has surfaced as one of the most important issues in cyber security today.

Dr. Nate Kube has been selected, as an internationally-recognized subject matter expert on industrial cyber security and critical infrastructure protection, to present his take on the state of the industry.

Dr. Kube will be co-presenting with:

• Gib Sorebo, Chief Security Engineer at SAIC
• Matt Carpenter, Senior Security Analyst at InGuardians

Details on the conference can be found here.

Wurldtech’s president Tyler Williams starts another year of industry stewardship, at ARC’s fourteenth annual forum in Orlando Florida.

Mr. Williams joins a panel of experts from around the world to discuss the business of cyber security and how a better understanding of economics can help improve the resilience of digital networks in critical infrastructure industries.

Information about the forum and how to register can be found here.

The latest version of Invensys Process Systems’ (IPS) Triconex Trident has achieved Achilles Certification. The Trident has already been certified twice before, with its 2.0.1 and 2.1.0 versions previously certified.  As has been discussed in blog posts past, Achilles Certification is strictly tied to a particular device version. Devices must continually be tested to ensure that they are robust and that they conform to Achilles Certification standards.

Congratulations to IPS on another certified device and for continuing to demonstrate their commitment to deploying robust, certified devices.

On Thursday January 07 at 9am (PST), Mr. Williams will join 3 other subject matter experts:

• Mike Brown, IO Active
• Erfan Ibrahim, EPRI
• Kevin Brown, EnerNex

To take a holistic look at the cyber security challenges of emerging industrial wireless and smart grid technologies from a real-world perspective.

1. Learn what utilities see as some of the actual challenges with smart meter and AMI deployments, and what steps are being taken today to reduce overall risk exposure to the bottom line.
2. Review current best practices for ensuring Smart Grid security when viewed from an organization, people, process and technology perspective.
3. Discover what end-users can do today to ensure the safe, secure and reliable integration of industrial wireless and Smart Grid technology

Webcast information can be found here.

I’m new to Wurldtech, but have been in the test industry for most of my career. One thing you learn in the practice of testing is that time truly is of the essence. With an insurmountable number of test cases to choose from the tester has to carefully design where he/she is going to target their valuable test time.

Consider communication replay or pcap based test schemes. Most security vulnerabilities take their birth from post-release bugs and post-release bugs are typically identified through happen-chance by the customer during execution of the software program. Consider now the Ethernet-enabled devices deployed in the critical industries; they have been operating reliably in the field 24×7x365 for the past 5-10 years. One can assume that throughout this time, in the hostile environments these devices occupy, a communication packet got corrupted or altered now and then (EMI, etc.). However, the bugs that the security community is now finding in the plenty were never identified. When we consider allotting valuable test hours to relay based testing we must ask ourselves: how “normal” or “based on regular traffic” could the triggers of today’s vulnerabilities be?

The answer is what keeps me motivated to innovate new automated schemes for generating large quantities of threat-specific test cases, not background noise.

We just wanted to let our visitors know that a new website will be up very soon reflecting a brand new vision of functional cyber security for critical infrastructure. In the meantime, visit our blog regularly for all the latest updates from our Satellite, Certification and Assessment teams.