This is a long one…
Having now been in The Netherlands for the past three weeks helping to expand Wurldtech into the region and building a operations team to service our European customers, I’ve been fortunate enough to also be directly involved in the introduction of a new cyber security initiative which I believe will result in a paradigm shift for process automation and control stakeholders worldwide.
First a little context…
Many of you will have heard our executives speak at conferences as what we call SSL teachers (Security As A Second Language) Admittedly, I am but a business man, not a cyber security expert or a process engineer, but I do feel our leadership have a solid grasp of how to align cyber security with business fundamentals. In other words, determining how to treat cyber security expenditures as financial line items.
The model is pretty simple and is based on common economic principles:
- Define The Terms: Create an open, scalable language framework in order to establish a common vernacular as it applies to the process automation and control product life-cycle (Design & Development, Installation & Integration, Run & Maintain)
- Establish The Incentives: develop a business case / ROI to justify investment in security improvements based on a quantifiable reduction in accidental or intentional disruption of process.
- Add Real Economic Value: Build simple, scalable, and functional products and services that help your customer realize a quantifiable reduction in accidental or intentional disruption of process (ie show them a cost savings or revenue increase in their business - period)
- Repeat: Adjust solutions as the customer needs change
Some may disagree with this business model, and indeed many have, often with responses like “defense in depth” or other jargon-laden “comprehensive” solutions, but when you embrace a model instead of a product you don’t end up missing what is hidden in plain view. Again, people may disagree but having now been in the trenches for the past few years here is what I have noticed:
1. Growing end-user apathy, indifference and frustration (ever tried to sell something to a frustrated customer?)
2. Increased government interest and involvement (leads to gaming the system)
3. Disjointed, regional, and part-time cyber security working groups (what we call workinggroupitis)
4. Irrelevant and unnecessary hand-waving (more FUD than FACTS)
5. Increasingly skeptical vendor / end-user executive management (no support, no budget sorry, that’s just a fact)
6. Multiplying SME’s (This is a just a fact of life but suboptimal)
7. Maroochy Shire x 1490 (this is just a personal request, enough already)
8. More “buy this product and you’ll be secure” (I could poke holes in this from a mile away with wet spaghetti)
Now why do I preface this with a polemic? Because over here in Europe I have seen NONE of this. I feel like I have entered bizarro-world. Here is what I notice:
1. End-users investing heavily in cyber security products / services (data driven business cases)
2. Stakeholders cooperating (stand on the shoulders of giants, what a concept)
3. Working groups working (output and progress is nice to see)
4. Government playing their role and facilitating not intervening (not selling assessment services like the US?)
5. No Maroochy Shire (ahhhh no more banging head against wall)
The reason for all of this above is to provide the context for why I feel this initiative will be successful here and why I think us in North America could take a note or two from Europe.
Finally a brief overview of the initiative:
In late 2009, the cyber security team at a major oil and gas end-user embarked on a collaborative project with industry stakeholders from many countries, sectors and disciplines, to create a set of standardized cyber security best practices that will apply to vendors of any device, system and/or application installed on a process control network.
This set of requirements were designed from the start to be simple, scalable, open, formal, and most importantly, functional. This means that the requirements were categorized based on the entire lifecycle of industrial products to ensure that products are sold, installed, operated and maintained based on a set of standardized cyber security best practices.
Throughout the entire process, the requirements were developed with transparency and openness resulting in comments and revision suggestions from over 50 stakeholder companies representing vendors, operators, integrators and service providers.
While the cyber security best practices requirements were being reviewed and revised by industry, Wurldtech was selected to expand their current cyber security certification program designed for embedded systems, and construct a new formal certification framework that would allow stakeholders to demonstrate conformance to the newly created set of requirements.
As of today, the requirements document and certification program has been finalized and is being piloted with a selected group of five equipment manufacturers.
Over the next few weeks more information will become available but stay tuned and hopefully we are seeing here is the beginning of something very exciting and important