What's important about MUSIC?

So what's the big deal? Here's the problem in a nutshell: - No methodical, repeatable or readily-available benchmarking process currently exists for measuring product resiliency, safety, robustness or security for software or hardware in the industrial and process control markets What MU is offering:   MUSIC would offer vendors and their users independently-performed testing of product safety and security profiles; provide automated manner -both verifiable and repeatable;  Certification by Mu or Authorized Partner analyzes test data;  Built-in path to evolve testing and analysis to one or more draft standards - several now underway (e.g. ISA Security Compliance Institute <ICSI> and ISA-SP99)   First, MU has been around IT security for quite some time, and has an excellent reputation. Second, they've had excellent advice from people like Eric Byres, Dale Peterson, Joe Weiss, and yours truly, among others, about the differences between IT security and the types of cybersecurity needed on the plant floor. Third, I'd like to re-quote Kevin Staggs, of Honeywell, from MU's press release for the kicker: "Security is a not a specific product, it's an ongoing process," said Kevin Staggs, Engineering Fellow and Global Security Architect at Honeywell Process Solutions. "Mu Security is helping the industry by creating a repeatable and metrics-based process that maps to current standard tracks including the ISA SP99 draft standard." (emphasis mine) And, of course, the ISCI compliance institute. I asked Adam Stein, MU's VP of Marketing, if that meant that MU was willing to deed its intellectual property to the SP99 standards group, and he said that he wasn't sure that there was much IP that was affected, since most of their work is based on open standards, but that MU would conform to the canons of the standards-making process. So, while we wait for SP99 to complete their work, and for ISCI to be set up to test compliance to the forthcoming ISA-99 standard, we can use the MUSIC suite to benchmark products, both as they leave the plant where they are made AND IN SITU FOR EXISTING PRODUCTS. Mu expects partnering announcements over the next few months from some of the largest names in automation. At this writing, I am informed that Honeywell plans some sort of announcement regarding MU Security for later this week, but the subject of the announcement is embargoed. More on this later. I will be recording a podcast interview with Kevin Staggs on Wednesday regarding this and other cybersecurity issues.

What are your comments?

Join the discussion today. Login Here.

Comments

  • Walt,

    Since you mentioned my name in this post I want to be clear that I have no affiliation with Mu or their MUSIC certification. I've talked with some people at Mu and blogged on the occasionally as we try to do with all SCADA security issues. I've never used or tested their product.

    We have in fact thrown our support behind Wurldtech's Achilles platform and certification for reasons that can be easily found on our site. We even helped Wurldtech structure the certification program, as a paid consultant.

    Mu is probably a fine product and anything that identifies vulnerabilities in control systems and rewards vendors that do a good job with security is a plus.

    Dale Peterson Digital Bond, www.digitalbond.com

    Reply

  • Well, that's fine, Dale, and I should have noted that you are a paid consultant for Wurldtech. But there are some significant differences between the Wurldtech Achilles platform and MU's MUSIC, and frankly, I like MUSIC better. Among the differences are the openness with which MU Security operates, and their intent to work closely with the SP99 committee and ISCI.

    MU's certification appears to me to more closely meet the requirements of process automation than Achilles.

    JMHO

    Walt

    Reply

RSS feed for comments on this page | RSS feed for all comments