All news
Industrial Control Industry Trends Towards Certificatiedn
May 10, 2011
Industrial controllers, devices, and networks that are certified secure - comprehensively secure- don't exist, for the simple reason that the standards are not all in place. But bits and pieces of the puzzle are coming together.
If you want to hush a group of control engineers, simply say, "Stuxnet."
In mid-2010, black hats took over software-based supervisory control at a handful of plants in highly targeted attacks. Similar types of malicious attacks, of course, have been at work in the personal computing world for decades - a land where battles against malware have long been highly visible. Waves of grief have washed over that universe, thanks to worms, viruses, misdirections, application stoppages, deliberate file corruption, you name it.
Still, it was something of a surprise when Stuxnet brought malware into the industrial spotlight. Plenty of speculation suggests the attack was specific, nation against nation, with military development the target. And while this is a bit of a relief if you make orange drink rather than nuclear arms, the specter is now raised, and it will not go away.
Unfortunately, it is no harmless bogeyman. The closer your products contribute to military applications, national security or social infrastructure, the more frightening are the possibilities. But what if you could simply take your next network out of the box, check its labels or docs for security standards compliance, and relax, knowing that your whole control system will be immune to attack?
Yes, Virginia, standards are either in place or about to be.
Standards in Place
Individual devices available today carry certification that they are in compliance with Wurldtech, a Vancouver, B.C. security technologies company providing cyber security under the Achilles moniker - specifically, certified for communications security. Based on groundwork from Dutch consortium WIB (Werkgroup voor Instrument Beoordeling; in English, Workgroup on Instrument Behavior), both the Achilles device certification and a second Achilles process certification around good networking product development practices lays down "a set of requirements and an associated certification program for suppliers to follow...to improve the quality of their cyber security processes and practices throughout the entire lifecycle of an industrial system."
WIB and Wurldtech benefited from extensive work and input from Shell, British Petroleum, Invensys, Honeywell, ABB, Dow, DuPont, Sabic and a number of other large players in highly security-conscious industrial segments.
The two Wurldtech certification types illustrate the two primary strategies for securing a system: One focuses on specific operational parameters of specific devices; the other focuses on the research and development processes employed in the making of industrial networking components. The first measures the ability of features built into a device to prevent unauthorized access against a specific suite of attacks. The second prescribes the design criteria and available cyber security features required for the creation of a malway-resistant component, with the objective of ensuring that everything required to fend off attacks will be available to a trained implementer.
In the future, manufacturing equipment will be certified to standards such as those issued from the ISA99 industrial cyber security committee. As with most International Society of Automation (ISA) standards, these are intended to be comprehensive, and the process from conceptualization to standards publication is necessarily a long one.
The committee's description of its purpose underlines the broad scope: "Develop and establish standards, recommended practices, technical reports, and related information that will define procedures for implementing electronically secure industrial automation and control systems and security practices, and assess electronic security peformance. Guidance is directed towards those responsible for designing, implementing, or managing industrial automation and control systems and shall also apply to users, system integrators, security practitioners, and control systems manufacturers and vendors."
Click Here for Full Article