those will be rolled up into the IEC (for International Electrotechnical Commission) for development as an international standard,” says Angevaare. “We are still waiting, but I don’t think we can expect a lot [from ISA99] within the next year.”

Work on Shell’s internal standards was first begun four to five years ago, and the standards are now fully in place, he says. Given that security threats and mitigation technologies continue to evolve rapidly, Shell is committed to continuously improving and optimizing these internal standards as well, Angevaare adds.

Among other activities, Shell is also working with Wurldtech Security Technologies, a Vancouver, British Columbia, Canada-based company, to develop certification programs for Shell’s control-systems vendors, says Angevaare. Under one program, Shell will require each vendor to obtain a “basic security certificate” from Wurldtech, which will check to ensure that the vendor meets Shell basic cyber-security requirements.

Banned laptops

Items covered will include a vendor’s use of security patches and its patching procedures, along with its use of system hardening and other steps to protect its products. The basic certification will also restrict vendor policies and procedures during activities such as site acceptance tests and field acceptance tests, including the use of laptop PCs on a job site, which could introduce worms or viruses into a control system network. “Imagine you have a start-up of a facility and you have hundreds of vendor representatives running around with laptops under their arms,” says Angevaare. “We can no longer accept this, and this basic security certification that we are launching and developing together with Wurldtech should put a stop to that.”
 
Shell is also working with Wurldtech on its Achilles certification program, which subjects vendor control systems to a series of  tests designed to determine robustness and resistance to cyber attacks. Controllers that pass currently receive Wurldtech’s Achilles Level 1 certified designation.

“Achilles testing is not mandatory at the moment in Shell, but is still optional,” says Angevaare. “We don’t want to overwhelm the vendors by giving them too much too quickly to comply to.” Current plans call for making the Shell basic security certificate mandatory for vendors later this year when the program is completed, says Angevaare. Shell then plans to mandate Achilles Level 1 certification for its vendors “sometime during 2010,” he concludes.

Subscribe to Automation World's RSS Feeds for Feature Articles