Voices: Feedback

Your Skills; Security Requirements for Vendors

Getting the Message Across. WIB's Security Requirements for Vendors is a Good Start

Message Bears Repeating
Good opening on your Editor's Page, Walt (Nov. '10, p. 9, www.controlglobal.com/articles/2010/INdustrialGrowthCurve1011.html). I agree with the message.

You've been pushing the same cart consistently over the years. It's one of those messages that needs to be banged out. And, although I fear it will fall on many a deaf ear, the message doesn't have to win over everyone. A few will do. There's always next month.
 
Dennis Nash
President & CEO,Control Station, Inc.
dennis.nash@controlstation.com

Standard or Not?
Regarding the recent release of the International Instrument Users Association's  (WIB) document, "Process Control Domain—Security Requirements for Vendors," (www.controlglobal.com/industrynews/2010/222.html):
I read over the WIB document, and found it to be a good start toward definition as a procurement guideline, but it should not be thought of as a cybersecurity standard.

The document clearly states its purpose as a procurement guideline, not a cyber security standard. The steps to defining a structure of points of consideration for procurement were captured, but the explicit statements in many case are incorrect or contain misinformation. Some of the issues have yet to be resolved.

It is true that harmonization is needed. I do believe establishing a standard for procurement of systems to offer necessary cyber security is good, and there is no such guideline that I am aware of. However, there are further refinements needed in the WIB document. WIB can call something "standard," but without clarification of its purpose in the title, it sounds like something different.

When an informed readers read the text of the article and then read the document, they see two different things, and there are many informed readers who understand the difference. I simply believe the title should indicate what it is, and I think ISA-99 should also review the document.

If WIB provides a neutral guideline, it could be recognized as useful. They even stated that they reviewed the various NIST documents, and I certainly see where they copied certain aspects from those documents. That does not mean that the government endorses their position, and this statement of non-endorsement should appear in the document. This document, used for procurement, becomes legally binding between the supplier and end user, and there are additional points that should appear in such a document.
How does controlglobal.com view the WIB document?
 
W.J.MILLER
PRESIDENT, MaCT,
Mact-usa@att.net

Walt Boyes responds: WIB is a very longstanding organization that does indeed write standards, and also technical reports. If they say it is a standard, then it is. Personally, I think it is a great step forward. I'd like to see some harmonization of cybersecurity standards because we are in some very great danger of being in the position of the Dutch professor Andrew Tanenbaum, who famously said, "The nice thing about standards is that there are so many of them to choose from."

Being that I operate an unbiased news source, I am obligated to print (or post) press releases that I believe are significant. We clearly identify them as such, and we may or may not feel that commentary is necessary. In this case, I didn't think so.

Some people appear to believe that I should have posted this release with a great deal of negative commentary. I don't agree, and in the publishing business, "It's good to be king." That's why we provide comment capability that is moderated only to keep spammers and scatological posts from being published.

More from this voice

Title

Reader Feedback: Wired vs. Wireless

A Reader Tell Us About Powerline Communication

03/05/2013

Reader Feedback: Why Is Alarm Management Such a Problem?

What's the Cost of Best Practice Alarm Management?

01/14/2014

Reader Feedback: Who's the Boss?

Google Doesn't Respect Authority. Google Search Results Are Only a Reflection of the Respect Granted by Others

05/01/2013

Reader Feedback: When Will There Be an App for That?

A Reader Asks Us When Will We Have an App for iPad

03/06/2013

Reader Feedback: When Should You Calibrate Your Industrial Devices?

A Reader Says "You Should Calibrate Your Instruments With the Frequency You Established in [Your] Plan, and Never Go Longer Than a Year"

04/07/2014

Reader Feedback: What Color Is Your Hat?

Black Hat Caters to the Hackers and Security Researchers Primarily from the IT Community, as Well as the Press

10/10/2013

Reader Feedback: Simulation Speed-Up a Good Thing

More and More, Dynamic Simulations Are Used Before Start-Up of a New Plant for Operator Training

12/17/2013

Reader Feedback: Replacing a Field Device

Is the 3 a.m., Sunday Morning Replacement the Killer App?

03/05/2014

Reader Feedback: Process Safety

Sometimes Even the Best Maintenance Practices Fail to Manage to Keep Some of These Plants Safe

03/04/2013

Reader Feedback: Process Automation, Control Valves vs. VFDs and More

Readers Agree, Disagree and Respond to Some of Our Latest Articles. See What They Have to Say

05/02/2011

Reader Feedback: Pervasive Sensing

Our Vision of Pervasive Sensors Encouraged Us to Find Innovative Ways to Not Just Power Sensors

03/05/2014

Reader Feedback: Old Dogs Learning New Tricks

Why Are We Still Using the Same Sample Preparation Techniques That We Used 40 Years Ago?

01/14/2014

Reader Feedback: Not Exactly PC-Based

PLCs and PACs Are More Robust and Include More Control Capabilities Than Those Offered Through PC-Based Control

08/18/2014

Reader Feedback: No Unified Fieldbus Standard, Ever?

Unified Standard Solely Exist Because Automation Vendors Will Always Want That Part of Their Solutions Strategy to Be Uniquely Theirs

08/18/2014

Reader Feedback: No Complete Disconnect for Nuclear Plants?

You Can't Isolate a Nuclear Power Plant from Any External Data Communications

04/07/2014

Reader Feedback: Long-Distance Calibration

A Reader Writes In to Tell Us That the Users We Quoated in an Article Are Not Considering the Latest Technology Presented at an ISA International Instrumentation Seminar

04/01/2013

Reader Feedback: Lambda Tuning: Use It or Lose It?

Helpful If Readers Could Get Better Information Than What's Listed in The Last "Control Update" Under: "Cascade Control Recommendation Tips" in Greg McMillan's "Control Talk" Blog

05/02/2014

Reader Feedback: From the ControlGlobal Community

More Readers Chime in to McMillan's Emergency Shutdown of LPG Tank Farms Article

12/17/2013

Reader Feedback: Cybersecurity Risk

When Will the Government Take Cybersecurity Risks Seriously?

04/02/2013

Reader Feedback: Consider These for The Top 50 Automation Companies

Readers Asks Us to Consider Balluff, Sick (Optical Sensing Products) for Our Top 50 Automation Companies

01/01/2013