By Nicholas Sheble
“The impact of Stuxnet was threefold, it provided proof of concept for the risk of attack, it exposed corporate executives and the public to the danger of cyber attacks, and it opened the floodgates for cyber security researchers,” cyber security expert John Cusimano said Tuesday.
Cusimano is director of exida’s security services division and has a strong background in process automation safety and security. He presented at the Industrial Control Systems Cybersecurity Assurance Webinar Tuesday.
Cusimano offered strategies for end users that accent the development of the security lifecycle approach and strategies for suppliers that recommend evaluations and testing of their products as well as third party certification.
The crux of this webinar is the value of third party certification, and in particular that of the ISA Security Compliance Institute. Graham Speake, a principal systems architect at Yokogawa Electric Corporation, spoke to that aspect during the webinar.
Speake is the marketing chair for the ISA Security Compliance Institute (ISCI), co-chair of the International Group for the Industrial Control Systems Joint Working Group, and an editor for the ISA99 standards.
ISCI has developed ISASecure Certification specifications using the framework of the ISA99 standard. The ISASecure program uses the security lifecycle concept for automation controls, organized into three broad lifecycle phases that include:
• Devices and systems – Conform to ISASecure requirements (products constructed to secure characteristics and behaviors)
• Supplier practices – Product development life cycle (design for security)
• User practices – Integration/deployment, operations, life cycle management (manage for security).
The first ISASecure certification, Embedded Device Security Assurance (EDSA) focuses on the security of embedded devices and addresses device characteristics and supplier development practices for those devices.
An embedded device that meets the requirements of the ISASecure EDSA specification earns the ISASecure EDSA certification, a trademarked designation that provides instant recognition of product security characteristics and capabilities, and provides an independent industry stamp of approval similar to a Safety Integrity Level (SIL) Certification.
There are three levels of ISASecure EDSA certification for a device, which reflect increasing levels of device security assurance. All levels of security certification granted under this program contain the following technical elements:
• Functional security assessment
• Software development security assessment
• Communication robustness testing
“So far there are four products that are certified,” said Cusimano. “We want to eventually move beyond certifying devices to certifying entire systems, to a system security assurance certification. This program is under development.”
The webinar also touched on these topics:
• Sources of security incidents
• Examples of industrial cyber security incidents, beyond Stuxnet
• An overview of Project Basecamp results — real results on real systems
• Strategies for end users for improving industrial cyber security and how suppliers can help
• Information about ISA99/IEC62443, Security for Industrial Automation and Control Systems, standard and the necessity for certification to this standard
Some useful resources on the topics of cyber security and device certification are:
American National Standards Institute Accreditation Services – ISASecure.
The Repository of Industrial Security Incidents is a database of incidents of a cyber security nature that threatened process control, industrial automation or supervisory control and data acquisition (SCADA) systems.
ISASecure Embedded Device Security Assurance Certification. http://www.isasecure.org/Home.aspx
Nicholas Sheble (email@example.com) is an engineering writer and technical editor in Raleigh, NC.