ESSENTIAL COMMUNICATIONS
Figure 1. Meetings between people in operations and IT can enable each group to better understand what the other is doing. Source: Emerson Process Management.
“Before Stuxnet, users thought they were not security targets and were secure by being obscure. Security was not a ‘hot topic’ for them. Then came Aramco and Shamoon, and there is now a lot more emphasis on security by our customers. As a result, we’ve added more features and certifications to our products since then,” notes Huba.
THE ROLE OF CERTIFICATIONSEmerson has been Achilles Communications level 1 certified since DeltaV version 8 in 2006. (The certification comes from Wurldtech, Vancouver, B.C., which offers two security certification programs, Achilles Communications for device robustness with wire and wireless communications protocols, and Achilles Practices for practices used in system development lifecycle processes.) The company currently is working on Achilles Communications level 2, which should be completed in early 2015. In addition, the company has been Achilles Practices certified since 2011 and will complete its third annual certification by the end of 2014.Users certainly should look for such certifications, says Huba. However, the success of any solution depends on how well a particular user understands cyber security as a whole, he cautions. “Certification doesn’t make you secure; what it does do is assure the user that we have done a certain level of testing and have the expertise and awareness needed for that piece of equipment. It’s very, very different from ATEX certification, for example, which gives a guarantee against a piece of equipment failing. You can’t get an absolute guarantee of security.”It’s important that users understand what the different certifications actually signify, he notes. Achilles Communications level 1, for example, means equipment can withstand a certain level of attack before it starts to respond inappropriately. ISA Secure (from the Security Compliance Institute of the International Society of Automation, Research Triangle Park, N.C.) adds some nuances to this, but is still focused on devices rather than systems. On the other hand, Achilles Practices certification means that a vendor complies with the cyber security standard of the International Instrument Users Association (WIB), Den Haag, the Netherlands, and thus is capable of providing products and services that make systems more secure.“I don’t think customers grasp this difference. They have to be intelligent about security in order to make intelligent decisions on what it can really do. While safety certifications ensure products are certified, systems and procedures have also to be put into place for full system security. Right now, however, there is no system certification for cyber security,” Huba stresses.Cyber threats won’t disappear. So, you’re never done; there are no “plug in and forget” solutions, he adds. Keeping up-to-date with upgrades, updates, patches and the like is essential; constant vigilance is very important.To spur such vigilance, Emerson is striving to educate customers on the whole security issue. At the heart of this is an effort to ensure people on the operations side get a much better understanding of what people on the information technology (IT) side are doing and vice versa (Figure 1). “Companies are in different places with this IT/automation understanding, but for progress you have to understand how an automation system is designed, developed and run. Once IT and operations people understand each other and work together, we will get very much better security,” he concludes.While everything is a potential target, the success of any attack depends on the inherent vulnerabilities, the criticality of the assets and the ability to exploit these weaknesses — whether in the control, supervisory-control-and-data-acquisition (SCADA) or safety systems or in web gateways, databases or email infrastructure, stresses Schneider Electric. So, as the industry moves toward ISA Secure regulations, particularly EDSA (embedded device security assurance), SSA (system security assurance) and IEC 62443 (network and system security for industrial-process measurement and control), all Schneider Electric automation developments now encompass security from concept to delivery.“An important security consideration, regardless of the industry, is risk calculation. This ultimately provides the appropriate framework and controls necessary to protect the most critical assets,” says Abdallah.“Automation systems will continue to be targets but the appropriate and responsible reaction by vendors must be how to manage the vulnerabilities and risks to acceptable levels. We can’t control threats, they will always be there. What we can do, however, is deliver a consistently updated, protected and hardened system that utilizes several layers of defense (defense in depth) to protect the most critical assets,” adds Gloucester, U.K.-based Gary Williams, Schneider Electric’s technology manager, cyber security and communications.The company sees great value in using next-generation firewalls, configured with specific single source/destination policies, security zones, network anti-virus, intrusion prevention and deep packet inspection.