Voices: Feedback

Your Skills; Security Requirements for Vendors

Getting the Message Across. WIB's Security Requirements for Vendors is a Good Start

Message Bears Repeating
Good opening on your Editor's Page, Walt (Nov. '10, p. 9, www.controlglobal.com/articles/2010/INdustrialGrowthCurve1011.html). I agree with the message.

You've been pushing the same cart consistently over the years. It's one of those messages that needs to be banged out. And, although I fear it will fall on many a deaf ear, the message doesn't have to win over everyone. A few will do. There's always next month.
 
Dennis Nash
President & CEO,Control Station, Inc.
dennis.nash@controlstation.com

Standard or Not?
Regarding the recent release of the International Instrument Users Association's  (WIB) document, "Process Control Domain—Security Requirements for Vendors," (www.controlglobal.com/industrynews/2010/222.html):
I read over the WIB document, and found it to be a good start toward definition as a procurement guideline, but it should not be thought of as a cybersecurity standard.

The document clearly states its purpose as a procurement guideline, not a cyber security standard. The steps to defining a structure of points of consideration for procurement were captured, but the explicit statements in many case are incorrect or contain misinformation. Some of the issues have yet to be resolved.

It is true that harmonization is needed. I do believe establishing a standard for procurement of systems to offer necessary cyber security is good, and there is no such guideline that I am aware of. However, there are further refinements needed in the WIB document. WIB can call something "standard," but without clarification of its purpose in the title, it sounds like something different.

When an informed readers read the text of the article and then read the document, they see two different things, and there are many informed readers who understand the difference. I simply believe the title should indicate what it is, and I think ISA-99 should also review the document.

If WIB provides a neutral guideline, it could be recognized as useful. They even stated that they reviewed the various NIST documents, and I certainly see where they copied certain aspects from those documents. That does not mean that the government endorses their position, and this statement of non-endorsement should appear in the document. This document, used for procurement, becomes legally binding between the supplier and end user, and there are additional points that should appear in such a document.
How does controlglobal.com view the WIB document?
 
W.J.MILLER
PRESIDENT, MaCT,
Mact-usa@att.net

Walt Boyes responds: WIB is a very longstanding organization that does indeed write standards, and also technical reports. If they say it is a standard, then it is. Personally, I think it is a great step forward. I'd like to see some harmonization of cybersecurity standards because we are in some very great danger of being in the position of the Dutch professor Andrew Tanenbaum, who famously said, "The nice thing about standards is that there are so many of them to choose from."

Being that I operate an unbiased news source, I am obligated to print (or post) press releases that I believe are significant. We clearly identify them as such, and we may or may not feel that commentary is necessary. In this case, I didn't think so.

Some people appear to believe that I should have posted this release with a great deal of negative commentary. I don't agree, and in the publishing business, "It's good to be king." That's why we provide comment capability that is moderated only to keep spammers and scatological posts from being published.

More from this voice

Title

Feedback: Cybersecurity and the Beltway Bandits

What, Specifically, in the XO Evinces or Promotes a Lack of Understanding of the Different Cybersecurity Requirements for Business IT and Industrial Process Control Systems?

08/01/2013

Cyber Vulnerabilities

Defending Targeted Attacks Is a Higher Bar. Focus on Prevention Alone Is Probably a Mistake

02/14/2014

Control Readers Speak Up

International Readers Lets Us Know About Automation Training Opportunities Abroad and One of Our Readers Challenges Our Contributing Editor, Bela Liptak

03/08/2011

Boiler Tuning Question

What Is the Best Method to Tune PID Values for Three-Element Drum Level Control in the Boiler?

02/14/2014

Basics of Analyzer Systems Busted!

You're Right. Here's the Correct Wording

11/03/2011

Automation and Fukushima: Not So Fast

A Reader Responds to Liptak's Article on Fukushima Saying That We Have No Reason to Suspect That the Instruments Did Not Operate Correctly. Liptak Responds

05/01/2013

Automation Apps, Gaming Systems and Thermodynamic Steam Quality

Readers Ask for Clarification on Some of Our Latest Articles

06/07/2011

Answer to Our Question of the Month

Would You Pay for Outside Help to Address Cybersecurity Issues?

11/03/2011

Analog or Digital Output?

Do You Prefer Analog or Digital Output to Monitor Operating Parameters? If you Haven't Checked Out the ControlGlobal Discussion Group on LinkedIn, You Should.

09/05/2013

An Update on Liptak and Shinskey

Greg Shinskey Continues to Do Consulting and Bela Liptak Talks on Optimization and Safety

02/06/2012

An Alarming Disconnect?

The Values of Alarm Limits Are the Biggest Single Factor Governing Alarm Performance

02/14/2014

A Cybersecurity Wiki?

There Should Certainly Be a Wikipedia-Like Site for Security Professionals to Turn To for Proven, Tested Remedies and Suggestions

09/01/2011