A simple proposal...

Control Systems Security Foundation

A Proposal

The Issue:

Over the past few years researchers have shown that SCADA and control systems products often have serious security vulnerabilities. These critical devices were not designed with security in mind, so these vulnerabilities leave the control systems exposed to viruses, hackers and possibly terrorist activities from around the world. Control system owner/operators, equipment vendors and governments are well aware of this situation and are attempting to address it through a number of operations-focused standards such as ISA SP-99 and NERC CIP-2-9. While these efforts will help the end-users ensure that their control systems are managed in a secure manner, there are no coordinated efforts under way to establish procedures for the security testing and certification of the actual products used for control. In the absence of any product security standards, end users are developing their own specifications, often with little technical understanding of how to properly evaluate a product's security. Those companies and research laboratories that do have the knowledge for proper evaluation are expending significant resources to do so, and are creating conflicting requirements that ultimately make compliance difficult for the vendors.

The Solution:

Industry leaders from a number of major control system operators and manufacturers have proposed that an independent organization be formed to create a set of well-engineered specifications and processes for the testing and certification of critical control systems products. Similar in concept to the internationally accepted TÃœV certification for Safety Instrumented Systems, control system vendors would be able to offer products that are proven to meet a standard set of minimum security requirements. As the industry as a whole evolves, we envision a natural outgrowth of this organization to include processes for security certification of the installation of a system in addition to the certification of the products. Furthermore, the organization would work closely with existing standards groups, supplying them with both the draft documents that can be formulated as standards and the supporting research to enable informed decisions on security standards.

Benefits:

For end users, this certification process will result in significantly reduced costs and time commitment in product selection and acceptance. It will also help ensure that products are more secure "˜out of the box'. For vendors the organization will provide a single testing framework and an industry stamp of approval, resulting faster time to market and lower development and integration costs. These benefits are consistent with the benefits of TÃœV testing of Safety Instrumented Systems.

Initial Feasibility Study:

Before an effective control system security testing and certification program can be created, it is essential that a members-based organization be founded to manage and fund the process. This organization needs to be global in scope, include vendors, system integrators and end-users and be open and inclusive to all (except to those that clearly pose a threat to security). To effectively frame the opportunity, it is proposed that Wurldtech Analytics Inc. lead a detailed evaluation & development of the proposal. This will result in a well-defined model for the creation and operation of the security certification organization. Deliverables for the study would include: "¢ Investigation of critical success factors in industrial certification organizations "¢ An incorporation model designed to best meet the needs of industry (e.g. non-profit or for-profit) "¢ A proposed accreditation model and guidelines for interaction with standards bodies "¢ Governance, membership, code of conduct and voting model "¢ Legal and property rights guidelines "¢ Proposed budget and membership fee model "¢ A multiyear time line and milestones for the setup and operation of the organization "¢ Long-term sustainability of the organization "¢ Estimation of member commitment requirements in time and people The scouting study will be complete by September 15, 2006, and it is anticipated that the organization will be established in January 2007.

Funding:

The total cost of this study is estimated to be $25,000 USD. Assuming that 10 companies contribute to this study, the cost for each contributing company is $2,500 USD. These funds will be used to deliver the scoping study into the proposal, in addition to providing sufficient financial coverage of the subsequent review and buy-in of the founding members. Detailed cost accounting will be available to all contributors upon request. Any contribution to this initial start-up effort will not in anyway commit the contributing company to future involvement in the compliance organization.