Voices: Feedback

Your Skills; Security Requirements for Vendors

Getting the Message Across. WIB's Security Requirements for Vendors is a Good Start

Message Bears Repeating
Good opening on your Editor's Page, Walt (Nov. '10, p. 9, www.controlglobal.com/articles/2010/INdustrialGrowthCurve1011.html). I agree with the message.

You've been pushing the same cart consistently over the years. It's one of those messages that needs to be banged out. And, although I fear it will fall on many a deaf ear, the message doesn't have to win over everyone. A few will do. There's always next month.
 
Dennis Nash
President & CEO,Control Station, Inc.
dennis.nash@controlstation.com

Standard or Not?
Regarding the recent release of the International Instrument Users Association's  (WIB) document, "Process Control Domain—Security Requirements for Vendors," (www.controlglobal.com/industrynews/2010/222.html):
I read over the WIB document, and found it to be a good start toward definition as a procurement guideline, but it should not be thought of as a cybersecurity standard.

The document clearly states its purpose as a procurement guideline, not a cyber security standard. The steps to defining a structure of points of consideration for procurement were captured, but the explicit statements in many case are incorrect or contain misinformation. Some of the issues have yet to be resolved.

It is true that harmonization is needed. I do believe establishing a standard for procurement of systems to offer necessary cyber security is good, and there is no such guideline that I am aware of. However, there are further refinements needed in the WIB document. WIB can call something "standard," but without clarification of its purpose in the title, it sounds like something different.

When an informed readers read the text of the article and then read the document, they see two different things, and there are many informed readers who understand the difference. I simply believe the title should indicate what it is, and I think ISA-99 should also review the document.

If WIB provides a neutral guideline, it could be recognized as useful. They even stated that they reviewed the various NIST documents, and I certainly see where they copied certain aspects from those documents. That does not mean that the government endorses their position, and this statement of non-endorsement should appear in the document. This document, used for procurement, becomes legally binding between the supplier and end user, and there are additional points that should appear in such a document.
How does controlglobal.com view the WIB document?
 
W.J.MILLER
PRESIDENT, MaCT,
Mact-usa@att.net

Walt Boyes responds: WIB is a very longstanding organization that does indeed write standards, and also technical reports. If they say it is a standard, then it is. Personally, I think it is a great step forward. I'd like to see some harmonization of cybersecurity standards because we are in some very great danger of being in the position of the Dutch professor Andrew Tanenbaum, who famously said, "The nice thing about standards is that there are so many of them to choose from."

Being that I operate an unbiased news source, I am obligated to print (or post) press releases that I believe are significant. We clearly identify them as such, and we may or may not feel that commentary is necessary. In this case, I didn't think so.

Some people appear to believe that I should have posted this release with a great deal of negative commentary. I don't agree, and in the publishing business, "It's good to be king." That's why we provide comment capability that is moderated only to keep spammers and scatological posts from being published.

More from this voice

Title

Your Skills; Security Requirements for Vendors

Getting the Message Across. WIB's Security Requirements for Vendors is a Good Start

01/10/2011

Wireless a Matter of Choice

End Users Get to Choose Which Protocol Meets Their Needs the Best

08/27/2012

Where to Go for Training

Process Automation Engineers Look for Online Training. Do You Know of Any Programs?

02/10/2011

When to Trust the Operators

Not Every Abnormal Situation Can Be Foreseen, so the Question Becomes Where Do You Draw the Line?

11/13/2013

What's the Best PID Execution Time?

We Still Should Remember the Nyquist Sampling Theorem

04/03/2012

What's Wrong with VFDs?

Why Is There Limited Adoption of VFDs in the Process Industry?

07/04/2012

What Happened to the E and T in STEM?

Schools Today Keep Emphasizing the S and the M, but Hardly Concentrate on Teaching Engineering and Technology Areas of Manufacturing, Construction, Communications and Transportation

04/03/2012

Twitter Time Well-Spent

Using Twitter to Listen and Discover New Things Is Time Well Spent

10/02/2012

Thoughts on Without Wires

Wireless Is Used Instead of Doing Nothing at All or Doing It Manually

01/30/2013

The Future of Manufacturing?

Here Is A Reader's Point of View on What Manufacturing in America Actually Would Look Like

03/05/2012

The Case Against Lambda Tuning

Understand the Framework of Using Internal Model-Based Control (IMC) to Come Up With PID Parameters

07/31/2012

Thanks for the Thought

Seeing Things in a Different Way. It Takes a Little More Than Just Turning On the Faucet to Get a Drink

06/05/2012

Technology: Keep the Print

Don't ever Kill the Magazine

08/27/2012

Taking on Industrial Control Security Issues

What's It Going to Take Before We Start Getting Real about Industrial Control Security Issues

04/03/2012

Summer and Stuxnet

Talking Plant Cybersecurity in the Light of Stuxnet. With No Certifications for Control System Cybersecurity, Anyone Can Be an Expert. Who Does an End User Believe?

08/02/2011

Securing Control Systems in Cyberspace

One of Our Readers Says That Even the ISA99 Memeber Will Say It Is Hard to Quantify Security From Their Security Access Level (SAL) Work

10/02/2012

Safety First?

The Wind Power Industry Is Experiencing a Learning Curve in Safety and Accident Prevention

01/05/2012

STEM: Competent People Reply

Lets Help Our STEM Students While They're Still Students

06/04/2012

Really? A Political Diatribe?

Reader Disagrees with Editor in Chief Walt Boyes's View on External Cyber Attacks Dangers and U.S. Cybersecurity Policies

02/06/2012

Readers Respond to Cybersecurity and Temperature Measurement Compensation

Readers Agree With Our Cybersecurity Coverage and Ask Why the Methods of Compensation Were Not Addressed by Our Industry Experts

07/05/2011