Over the past few years, research has shown that SCADA and control systems products often have serious security vulnerabilities. These vulnerabilities leave the control systems exposed to viruses, hackers and possibly terrorist activities from around the world. Industry standards like those arising from ISA-SP99 and NERC CIP-2-9 and the work of the OMAC MSMUG group have been addressing this issue from an end-user prospective, but this initiative aims to help define methods by which suppliers of products can validate that there products afford the necessary level of secure operation.
Industry leaders from major control system operators and manufacturers are initiating this effort to create a set of well-engineered specifications and processes for the testing and certification of critical control systems products. With this program, control system suppliers would be able to offer products that are proven to meet a standard set of minimum security requirements.
To effectively frame the opportunity, Wurldtech Analytics will lead a detailed evaluation and development of a formal proposal. This will result in a well-defined model for the creation and operation of the security certification organization. Joann Byres, Director of Applied Research of Wurldtech Analytics said, "The deliverables for the study will include:
- Investigation of critical success factors in industrial certification organizations
- An incorporation model designed to best meet the needs of industry (e.g. non-profit or for-profit)
- A proposed accreditation model and guidelines for interaction with standards bodies
- Governance, membership, code of conduct and voting model
- Legal and property rights guidelines
- Proposed budget and membership fee model
- A multiyear time line and milestones for the setup and operation of the organization
- Long-term sustainability of the organization
- Estimation of member commitment requirements in time and people
We expect the proposal will be completed by September 2006 and an organization could be launched in early 2007."
"Our vision is that any certification organization that arises will work very closely with existing standards groups. We'd give them both the draft documents that can be formulated as standards and the supporting research to enable informed decisions on security standards. We welcome The Automation Federation's support, especially because of the work of ISA and OMAC in the security standards arena, and we're looking forward to a close partnership," said Eric Byres, Director of Wurldtech Analytics, a research group leading the initiative.
The ISA-SP99 Committee has been working on establishing standards for implementing electronically secure manufacturing and control systems. The committee is focused on security practices and assesses electronic security performance. Guidance is directed towards those responsible for designing, implementing, or managing manufacturing and control systems and would also apply to users, system integrators, security practitioners, and control systems manufacturers and vendors.
OMAC formed the Microsoft Manufacturing User Group (MSMUG) in 1999 to address issues that arise when applying Microsoft technology in manufacturing. One part of the group focuses solely on reliability and security by developing best practices for configuring Windows in a control system environment.
"The Automation Federation's participation helps to broaden the visibility and level of end user support. Our collaboration with The Federation staff in identifying the various business and legal issues involved will really benefit the initiative," said Joann Byres, Director of Applied Research for Wurldtech.
"When we created The Automation Federation, this is the type of work we envisioned participating in. All of the member organizations can coordinate their support in a collaborative way, and really make a difference in an important venture," said ISA President Ken Baker.