Voices: Feedback

Your Skills; Security Requirements for Vendors

Getting the Message Across. WIB's Security Requirements for Vendors is a Good Start

Message Bears Repeating
Good opening on your Editor's Page, Walt (Nov. '10, p. 9, www.controlglobal.com/articles/2010/INdustrialGrowthCurve1011.html). I agree with the message.

You've been pushing the same cart consistently over the years. It's one of those messages that needs to be banged out. And, although I fear it will fall on many a deaf ear, the message doesn't have to win over everyone. A few will do. There's always next month.
Dennis Nash
President & CEO,Control Station, Inc.

Standard or Not?
Regarding the recent release of the International Instrument Users Association's  (WIB) document, "Process Control Domain—Security Requirements for Vendors," (www.controlglobal.com/industrynews/2010/222.html):
I read over the WIB document, and found it to be a good start toward definition as a procurement guideline, but it should not be thought of as a cybersecurity standard.

The document clearly states its purpose as a procurement guideline, not a cyber security standard. The steps to defining a structure of points of consideration for procurement were captured, but the explicit statements in many case are incorrect or contain misinformation. Some of the issues have yet to be resolved.

It is true that harmonization is needed. I do believe establishing a standard for procurement of systems to offer necessary cyber security is good, and there is no such guideline that I am aware of. However, there are further refinements needed in the WIB document. WIB can call something "standard," but without clarification of its purpose in the title, it sounds like something different.

When an informed readers read the text of the article and then read the document, they see two different things, and there are many informed readers who understand the difference. I simply believe the title should indicate what it is, and I think ISA-99 should also review the document.

If WIB provides a neutral guideline, it could be recognized as useful. They even stated that they reviewed the various NIST documents, and I certainly see where they copied certain aspects from those documents. That does not mean that the government endorses their position, and this statement of non-endorsement should appear in the document. This document, used for procurement, becomes legally binding between the supplier and end user, and there are additional points that should appear in such a document.
How does controlglobal.com view the WIB document?

Walt Boyes responds: WIB is a very longstanding organization that does indeed write standards, and also technical reports. If they say it is a standard, then it is. Personally, I think it is a great step forward. I'd like to see some harmonization of cybersecurity standards because we are in some very great danger of being in the position of the Dutch professor Andrew Tanenbaum, who famously said, "The nice thing about standards is that there are so many of them to choose from."

Being that I operate an unbiased news source, I am obligated to print (or post) press releases that I believe are significant. We clearly identify them as such, and we may or may not feel that commentary is necessary. In this case, I didn't think so.

Some people appear to believe that I should have posted this release with a great deal of negative commentary. I don't agree, and in the publishing business, "It's good to be king." That's why we provide comment capability that is moderated only to keep spammers and scatological posts from being published.

More from this voice


Your Skills; Security Requirements for Vendors

Getting the Message Across. WIB's Security Requirements for Vendors is a Good Start


Wireless a Matter of Choice

End Users Get to Choose Which Protocol Meets Their Needs the Best


Where to Go for Training

Process Automation Engineers Look for Online Training. Do You Know of Any Programs?


When to Trust the Operators

Not Every Abnormal Situation Can Be Foreseen, so the Question Becomes Where Do You Draw the Line?


What's the Best PID Execution Time?

We Still Should Remember the Nyquist Sampling Theorem


What's Wrong with VFDs?

Why Is There Limited Adoption of VFDs in the Process Industry?


What Happened to the E and T in STEM?

Schools Today Keep Emphasizing the S and the M, but Hardly Concentrate on Teaching Engineering and Technology Areas of Manufacturing, Construction, Communications and Transportation


Twitter Time Well-Spent

Using Twitter to Listen and Discover New Things Is Time Well Spent


Thoughts on Without Wires

Wireless Is Used Instead of Doing Nothing at All or Doing It Manually


The Future of Manufacturing?

Here Is A Reader's Point of View on What Manufacturing in America Actually Would Look Like


The Case Against Lambda Tuning

Understand the Framework of Using Internal Model-Based Control (IMC) to Come Up With PID Parameters


Thanks for the Thought

Seeing Things in a Different Way. It Takes a Little More Than Just Turning On the Faucet to Get a Drink


Technology: Keep the Print

Don't ever Kill the Magazine


Taking on Industrial Control Security Issues

What's It Going to Take Before We Start Getting Real about Industrial Control Security Issues


Summer and Stuxnet

Talking Plant Cybersecurity in the Light of Stuxnet. With No Certifications for Control System Cybersecurity, Anyone Can Be an Expert. Who Does an End User Believe?


Securing Control Systems in Cyberspace

One of Our Readers Says That Even the ISA99 Memeber Will Say It Is Hard to Quantify Security From Their Security Access Level (SAL) Work


Safety First?

The Wind Power Industry Is Experiencing a Learning Curve in Safety and Accident Prevention


STEM: Competent People Reply

Lets Help Our STEM Students While They're Still Students


Really? A Political Diatribe?

Reader Disagrees with Editor in Chief Walt Boyes's View on External Cyber Attacks Dangers and U.S. Cybersecurity Policies


Readers Respond to Cybersecurity and Temperature Measurement Compensation

Readers Agree With Our Cybersecurity Coverage and Ask Why the Methods of Compensation Were Not Addressed by Our Industry Experts