If you want to hush a group of control engineers, simply say, “Stuxnet.”

In mid-2010, black hats took over software-based supervisory control at a handful of plants in highly targeted attacks. Similar types of malicious attacks, of course, have been at work in the personal computing world for decades—a land where battles against malware have long been highly visible. Waves of grief have washed over that universe, thanks to worms, viruses, misdirections, application stoppages, deliberate file corruption, you name it.

Still, it was something of a surprise when Stuxnet brought malware into the industrial spotlight. Plenty of speculation suggests the attack was specific, nation against nation, with military development the target. And while this a bit of a relief if you make orange drink rather than nuclear arms, the specter is now raised, and it will not go away.

Unfortunately, it is no harmless bogeyman. The closer your products contribute to military applications, national security or social infrastructure, the more frightening are the possibilities. But what if you could simply take your next network out of the box, check its labels or docs for security standards compliance, and relax, knowing that your whole control system will be immune to attack?

Yes, Virginia, standards are either in place or about to be.

Standards in place

Individual devices available today carry certification that they are in compliance with Wurldtech, a Vancouver, B.C. security technologies company providing cyber security under the Achilles moniker—specifically, certified for communications security. Based on groundwork from Dutch consortium WIB (Werkgroup voor Instrument Beoordeling; in English, Workgroup on Instrument Behavior), both the Achilles device certification and a second Achilles process certification around good networking product development practices lays down “a set of requirements and an associated certification program for suppliers to follow … to improve the quality of their cyber security processes and practices throughout the entire lifecycle of an industrial system.”

WIB and Wurldtech benefited from extensive work and input from Shell, British Petroleum, Invensys, Honeywell, ABB, Dow, DuPont, Sabic and a number of other large players in highly security-conscious industrial segments.

The two Wurldtech certification types illustrate the two primary strategies for securing a system: One focuses on specific operational parameters of specific devices; the other focuses on the research and development processes employed in the making of industrial networking components. The first measures the ability of features built into a device to prevent unauthorized access against a specific suite of attacks. The second prescribes the design criteria and available cyber security features required for the creation of a malware-resistant component, with the objective of ensuring that everything required to fend off attacks will be available to a trained implementer.

In the future, manufacturing equipment will be certified to standards such as those issued from the ISA99 industrial cyber security committee. As with most International Society of Automation (ISA) standards, these are intended to be comprehensive, and the process from conceptualization to standards publication is necessarily a long one.

The committee’s description of its purpose underlines the broad scope: “Develop and establish standards, recommended practices, technical reports, and related information that will define procedures for implementing electronically secure industrial automation and control systems and security practices, and assess electronic security performance. Guidance is directed towards those responsible for designing, implementing, or managing industrial automation and control systems and shall also apply to users, system integrators, security practitioners, and control systems manufacturers and vendors.”

Do we want standards?

In general, users want standards, at least according to a recent poll of Automation World readers (see sidebar, “Yes, No, Maybe”), where 65 percent of respondents indicated they wanted devices to be certified for cyber security. But—no matter how black and white the hats in the cyber shootout—the issues still have many gray areas.

“A lot of people ask for the architecture,” says Bryan Singer, principal consultant, Kenexis Security Corp. and co-chair of the ISA99 Committee. “ ‘Tell us what the architecture is and we’ll be done,’ they say. But technology changes too fast for that, both the technologies in controls and the technologies in malware. The answer lies in design processes—practices and procedures, strategies for commissioning systems, designs for operating and maintaining systems.”

In one sense, the ISA99 standards have a head start. In addition to WIB/Wurldtech parameters, ISA99 has welcomed basic concepts from guidelines and strategies across a number of industries, including roadmaps issued by the U.S. Department of Homeland Security, North American Electric Reliability Corp.’s (NERC) Critical Infrastructure Protection (CIP) guidelines, Airlines Electronic Engineering Committee (AEEC) Network ...