The ABB/Microsoft position on security

Face it, cyber disasters will happen. It is impossible to guard against all of them. As Microsoft's Don Richardson put it, "You can have all the security in place that you want, and that you need, and somebody pulls the power on a PLC and you're dead anyway." The trick is to have a recovery plan, and implement it. What is Microsoft doing? They're increasing support commitments: a 10 year MINIMUM commitment for software, and a 5 year MINIMUM commitment for both mainstream and extended support. Microsoft has increased its participation in industry ISA, OMAC, and others."I really like S99," Richardson said. Microsoft Consulting Services now offers a two week security assessment for industrial manufacturing plants. The first week is an audit of all Microsoft software and the harware it runs on, and a risk assessment for each device. The second week is a deep dive into the plant network to identify security issues and constraints. The price of this consultation varies from a low of $2K to a benchmark of $40K depending on the facility. But as Richardson put it,"If you don't need to connect your system, don't. If you do need to connect your system, do the things that you need to do to keep your plant secure, and work with your enterprise IT department to help you set them up properly." What is ABB doing? They are committed to Microsoft's SD^3 + Communication initiative: Secure by Design Secure by Default Secure in Deployment Communication They've activated a new ABB security website, with whitepapers, etc. It went live on Friday of last week, and I don't have the URL yet. Watch this space and I'll post it later today or tomorrow. Richardson, responding to a question about support longevity, said that Microsoft is considering a lifecycle that is also service pack dependent. Comments? --Walt Boyes