A colleague pointed me to a cyber-security article published on the Engineer Live website. The article, Boosting confidence with cybersecurity certification describes several automation suppliers and their work with Wurldtech and their Achilles certification program to test their automation controllers for cyber-security robustness. The article summarizes the program:
Its Achilles assurance platform, created by the company’s team of network security experts, control system engineers and white hat hackers, is the first automated and comprehensive testing product for assessing vulnerabilities and security threats to devices and networks supporting critical infrastructures worldwide.
The article includes the news of Emerson’s DeltaV controller and firewall passing, “over 20 million tests to achieve Level1 certification.” At Wurldtech’s website, you can see other automation suppliers who have similarly subjected their equipment to this rigorous testing and achieved certification.
Bob Huba, whom you may recall from earlier cyber-security posts, describes an ongoing benefit of this testing for process manufacturers:
Controllers with Level1 certification have demonstrated the robustness to survive network cyber attacks. One real benefit of passing these rigorous tests is to provide users with the ability to better plan the installation of security updates and new anti-virus signatures. Knowing that the controllers can survive a possible security incident provides an opportunity to schedule these patching tasks around process activities rather than always immediately deploying the updates.
I’ll definitely not claim myself to be an expert with cyber-security, but I do see similarities with cyber-security and safety efforts in taking a risk-based approach. I shared this thought in a recent Chemical Processing magazine article, Plug cyber-security gaps. This is also an excellent article and well worth the read for interested parties.
If you are in this “interested party” cohort, you may also want to follow the work of the ISA99 committee, Manufacturing and Control System Security (I’d subscribe to their RSS feed if they had one… nudge, nudge.) You may also want to follow some the leading cyber-security blogs with respect to process automation including Dale Peterson’s Digital Bond blog and Joe Weiss’ Unfettered blog (both thankfully offer RSS feeds for easy information consumption.) I’d also pass along the DCS Security blog if we could get Jim back posting again along with the rest of us!