As we near the second year anniversary of the official launch of our Achilles industrial cyber security certification program, and prepare to launch some major new program initiatives, I thought a small polemic that attempts to:
- Dispel a few common misconception about cyber security certification and;
- Highlights a few examples of industrial stakeholders who are embracing cyber security as a functional process and providing the shoulders for the rest of the industry to stand on.
would adequately stimulate the discourse in the industrial cyber security community and start the year off with some fodder for conversation.
There are two common misconceptions in the market that we see today:
- There are no current cyber security standards or benchmarks for suppliers to follow from which to guide the development of secure industrial control, SCADA and Smart grid devices, systems and applications.
- Equipment manufacturers of control systems are not taking the robustness of their systems seriously
These are both simply not true.
This first misconception is often less of a misconception but rather a “head in the sand” assumption that often stems from vested public / private sector interests and unfortunately results in stultified progress. This is not ideal, cost-effective and most importantly does not improve the resilience of the digital infrastructure – which should be our goal no?
In fact, this is exactly why we created the Achilles cyber security certification program to begin with - and today, many of the largest suppliers in the world have invested the time and money to get their products tested and certified. For example:
By certifying our product portfolio and integrating the Achilles testing platform into our internal product development lifecycle, IPS continues to ensure that our global clients receive the highest level of ongoing security assurance to improve the overall reliability of their business operations.”
Moreover, many end-users have done their diligence and integrated the Achilles certification program requirements into their procurement documents and now insist on Achilles certified products. For example:
Achilles level 1 certification saves Shell a lot of time in the specification and procurement process and ensures purchasing process control equipment from Vendors that have a truly integral security attitude both in production and service”
Where does this misconception come from?
This misconception is often a result of, and reinforced by, an undereducated industrial cyber security community who either misunderstand the economics of risk and incentives or have a clear vested interest in a competing program or government funding – which although certainly understandable in a competitive market, still disrupts progress. Until this is fixed, we can never achieve functional security.
For example, many folks still say “the Achilles certification program is private” and “we need a public standard instead”….well yes, indeed, the Achilles program is a private benchmark and yes, we certainly do need a public standard but lets make sure we realize that practical, realistic, and functional standards take years. See ISA SP84 into IEC 61508 and in the meantime vulnerabilities go unmitigated and risks continue to increase.
How do we fix this?
A few suggestions:
- Reduce the amount of tax payer money being spend on public sector research to re-invent the wheel and government consulting services that compete with private sector and instead promote information sharing and widespread adoption of private sector programs that are functional and work.
- Increase government and corporate research investment in programs that encourage the completion of an international standard instead of relying on unpaid, unfocused, asymmetric regional working groups and vendor-driven standards bodies.
- Leverage 100 years of economic understanding and incentivize stakeholders who do make investments in security, improving the ROI for security improvements by positively influencing commercial behavior instead of regulating it.
- Give credit to, promote and reward the companies and individuals that have already taken the leadership role and made a difference in the security and reliability of their systems today to encourage greater adoption.
The second misconception can be dispelled with a simple example. Invensys Operations Management, one of the world’s largest manufacturers of industrial control systems, is a great example for other suppliers to follow.
- Industry leadership, standards participation and security culture: Invensys has consistent senior management representation at global security conferences, participation in many of the world’s leading international standards groups and has a strong culture of security throughout their organization.
- Integrated proactive robustness testing: Invensys has made significant investments in products such as our Achilles Satellite robustness testing platform and integrated security testing best practices throughout their entire development process.
- Certified product portfolio: Invensys has made a corporate decision to certify their entire control product portfolio including the Triconex Trident, Foxboro I/A Series.
Thankfully, end-users such as Shell, and vendors like Invensys, are not the only examples of industrial organizations investing in security - but they certainly are not the norm just yet. The important things to remember here are:
- End-users: There are simple things you can do to ensure that the systems you select are robust right from the factory floor. The first, and easiest, action you can take is to insist on and select only systems that have achieved an Achilles certified designation – but remember to check the version #’s!
- Equipment Manufacturers: There is no question that cyber security testing and certification requirements will end up as part of your product development process in the near future, either from customer demands, government regulations, or international standards requirements, so the time is now to get started. Moreover, getting certified is a great first step, but remember, to make it truly functional you must integrate the process into your development culture and throughout your product portfolio.
I hope this entry stimulates thought and provides some useful information for critical infrastructure stakeholders and look forward to seeing more organizations following the leaders and embracing security testing and certification as an easy way of reducing unnecessary risk to industrial operations.