Standards Provide Solid Support for Security Programs

April 30, 2014
As companies push forward with security projects, many are basing them on standards and guidelines.

These documents help developers ensure that they’ve considered multiple threats and options while still implementing safeguards in a way that fits within their architectures.

ISA 99 is one of the earliest security specifications, and it’s become one of the most popular. It’s been certified by the International Electrotechnical Commission (IEC), which lets global companies use the same specification for all designs.

“When ISA 99 got international certification as IEC 62443, it really gave the standard a huge kick,” says Eric Byres, chief technology officer for Belden’s Tofino Security. “Companies don’t want to comply with standards for every country, so this was important.”

Several other groups provide advice on security. The National Institute of Standards and Technology (NIST) provides a number of documents for cryptography and other aspects of data protection. The National Industrial Security Program also provides guidelines that include techniques for removing data from unwanted equipment.

Many U.S. companies are using documents created by the North American Electric Reliability Corp. for electrical utility suppliers. Its critical infrastructure protection (NERC CIP) is seeing increased use in a range of industries that aren’t involved with distributing power.

“IEC 62443 is being widely looked at, if not adopted, in many automation processes,” says Dan Schaffer, business development manager, networking and security, at Phoenix Contact. “I’ve also seen a number of non-electric industries such as water and oil start to follow NERC CIP. I believe this is because NERC CIP is quite detailed about the dos and don’ts without doing a lot of navel-gazing or theorizing that other standards tend to have.”

Though standards provide helpful advice, using them doesn’t guarantee that a program will result in true security. Developers have to determine which aspects of a standard are needed and which don’t fit. Then they have to put them into production correctly.

“Standards are recommendations for best procedures,” says Gary Williams, technology manager of cybersecurity and communications at Invensys, now part of Schneider Electric. “If they’re implemented correctly, users will be able to link things together easily. These best practices give people guidance on what to do. They don’t specify every requirement.”

Design teams can just focus on the intent of the specifications, which is to protect networks and data, rather than on meeting the requirements of the standard. On the other hand, developers can sometimes conform to the specification without doing much to safeguard the network.

“There is potentially a big difference between being secure and being compliant,” Schaffer says. “A loose, poorly written or unclear section of a standard can be followed to the letter of the law but not really implement great security.”

Standards can be studied by hackers as well as by industry designers, but that doesn’t reduce the effectiveness of protective schemes designed using these specifications. Good designs and defense in depth can combine to safeguard networks—even if hackers are using the same standards and guidelines when they write malware.

“You don’t need to hide the way the system is designed: Knowing how a lock works doesn’t open every door,” Byres says. “A lot of people think secrecy is the key, but it’s not.”

Most technologists feel that that far more benefits than problems come with security standards. Some note that even when source code is readily available, hackers have trouble attacking end products.

“The good side of standards outweighs the bad,” says Carl Henning, deputy director for PI North America. “If you look at Linux, it’s an open standard. But you don’t hear much about Linux breaches.”

Sponsored Recommendations

Put the Plant Floor in Your Pocket with Ignition Perspective

Build mobile-responsive HTML applications that run natively on any screen.

Ignition: Industrial-Strength System Security and Stability

Ignition is built on a solid, unified architecture and proven, industrial-grade security technology, which is why industrial organizations all over the world have been trusting...

Iron Foundry Gains Competitive Edge & Increases Efficiency with Innovative Technology

With help from Artek, Ferroloy implemented Ignition to digitally transform their disconnected foundry through efficient data collection and analysis while integrating the new ...

Empowering Data Center Growth: Leveraging Ignition for Scalability and Efficiency

Data center growth has exploded over the past decade. Initially driven by organizations moving their computer assets to the cloud, this trend has only accelerated. With the rise...