Until recently, there was only one game in town when it came to security certification for industrial controllers—the Achilles certification provided by Wurldtech Labs, an independent division of Wurldtech Security Technologies, in Vancouver, British Columbia, Canada. But that changed on Aug. 13 with the announcement of the Mu Security Industrial Control Certification (MUSIC) program, from Mu Security, a two-year-old Sunnyvale, Calif.-based company. Mu also announced that the Experion Process Knowledge System (PKS) C300 Process Controller, from Honeywell Process Solutions, Phoenix, is the first to achieve MUSIC certification. Honeywell followed up with its own press release on the C300 MUSIC certification the next day. The announcements by Mu and Honeywell may set the stage for a new phase in the drive toward more secure critical infrastructure control systems, not to mention a marketing battle between competing certification providers. Wurldtech announced its first Achilles certifications last May. So far, a total of six control products from four vendors—Emerson Process Management, ICS Triplex, Invensys Process Systems, and Yokogawa Electric Corp.—have received Achilles Level 1 certification, which focuses on layers 2 to 4 of the network protocol stack. By contrast, the Honeywell C300 is so far the only MUSIC-certified controller; the C300 achieved Foundation level MUSIC certification, which covers the same network layers as Achilles Level 1. Both Wurldtech and Mu say they have additional controllers in the pipeline, however, and both say additional certification announcements will come this fall. What’s different? Both the Achilles and MUSIC certification programs put controllers through a large number of tests designed to determine robustness and resistance to cyber attacks. But during an interview with Automation World, Adam Stein, Mu Security vice president of marketing, emphasized two points that he said make MUSIC different. One is the availability of Mu Security’s security appliance for use in on-site testing. The company’s Mu-4000 Security Analyzer appliance is not only being offered for use by vendors for certification testing, but is also being marketed to end-users. “Now you’ve got a way, if you’re a user, to be able to verify that the [certification] test claimed by a vendor has actually been done, and if you’re looking at equipment that is not certified, but a vendor is claiming it’s just as good, you’ve got a way to independently benchmark it,” Stein said.
Vendors can also do certification testing using the Mu-4000 as part of product quality development at their own sites, using their own personnel, as opposed to the traditional need to ship product for testing to a certification authority, Stein added. The Mu-4000 generates digitally signed test reports, which users can then submit to Mu Security or a Mu authorized partner who can provide certification, he said. The other point emphasized by Stein is that the MUSIC certification will provide an open transition to industrial cyber security standards currently under development, including the ISA-99 standard being developed by the SP99 committee of the Instrumentation, Systems and Automation Society. “Mu is tied into a lot of standards developments, like ISA SP99 and also the ISA Security Compliance Institute (ICSI), and I do not believe any other developments out there, including Wurldtech, is tied into the standards track,” Stein said. In fact, according to Kevin Staggs, engineering fellow and global security architect at Honeywell Process Solutions, that is a primary reason that Honeywell decided to go for MUSIC certification instead of Achilles. “Our interest is in having a certification to the evolving open standards, and we wanted to make sure that our investment lined up with that,” Staggs told Automation World. Counterpoint At Wurldtech, however, executives are quick to dispute any assertion that Achilles won’t provide mapping to the future ISA-99 standard. “We’ve been at every SP99 meeting, so we’re more than happy to be involved in the ISA process,” said Wurldtech Chief Executive Officer Tyler Williams. In addition, according to Nate Kube, Ph.D., Wurldtech chief technology officer, the company has been beta-testing at several customer sites an appliance called the Achilles Assurance Platform that can be used as a quality assurance tool for security testing by controls vendors. And on Aug. 24, Wurldtech announced a new version of the platform code named the Achilles Satellite, which Kube says is geared more for use by end-users. The Achilles Satellite will be introduced during the ISA Expo Oct. 2-4 in Houston, Wurldtech said. Both the current version of the Achilles Assurance Platform and the new Satellite version will be commercially available in this year’s fourth quarter. Certification wars? The emergence of dueling security certification programs is raising concerns among some process control vendors. “I don’t want to see us get into certification wars, where we’ve got to start getting multiple certifications that essentially do the same thing,” said Bob Huba, senior product manager, DeltaV, at Emerson Process Management, in Austin, Texas. Emerson acquired Achilles certification for its flagship DeltaV Controller at the request of certain customers, Huba told Automation World. If Emerson receives requests from customers to also acquire MUSIC certification, the company will look into it, he noted. But Huba sees a need for a third-party to arbitrate the best security certification approach. “Somebody along the line has got to decide which one of these (Achilles or MUSIC) fits the bill, if it comes down to a choice, or if they’re both acceptable,” Huba observed. Ernie Rakaczy, director of control systems security at Invensys Systems Canada Inc., took a similar tack during an interview. “We’re at a point in time where security testing is going to be critical for manufacturing products coming out of the factory,” Rakaczy noted. “We’ll have to embed in our QA (quality assurance) practices a set of criteria that will validate the security settings of the devices, and the source code that’s being created.” But those criteria haven’t yet been established, he said. So to some degree, both Wurldtech and Mu Security “are putting the cart before the horse” in offering certifications today, Rakaczy opined. Rakaczy said that the needed criteria may eventually come together through the activities of various organizations, including the proposed ISA Security Compliance Institute. The ISCI—which is still in its formative stages—has as part of its mission to “accelerate the development of industry standards that can be used to certify that control systems products meet a common set of security requirements.” The body is seeking founding members from among the vendor and user communities who will provide funding and strategic direction. The ISCI membership application due date is Sept. 1, and if the organization hits its 21-month launch plan, conformance certifications would begin in June 2009. Emerson Process Managementwww.emersonprocess.comHoneywell Process Solutionshttp://hpsweb.honeywell.comInvensyswww.invensys.comMu Securitywww.musecurity.comWurldtech Security Technologieswww.wurldtech.com
Vendors can also do certification testing using the Mu-4000 as part of product quality development at their own sites, using their own personnel, as opposed to the traditional need to ship product for testing to a certification authority, Stein added. The Mu-4000 generates digitally signed test reports, which users can then submit to Mu Security or a Mu authorized partner who can provide certification, he said. The other point emphasized by Stein is that the MUSIC certification will provide an open transition to industrial cyber security standards currently under development, including the ISA-99 standard being developed by the SP99 committee of the Instrumentation, Systems and Automation Society. “Mu is tied into a lot of standards developments, like ISA SP99 and also the ISA Security Compliance Institute (ICSI), and I do not believe any other developments out there, including Wurldtech, is tied into the standards track,” Stein said. In fact, according to Kevin Staggs, engineering fellow and global security architect at Honeywell Process Solutions, that is a primary reason that Honeywell decided to go for MUSIC certification instead of Achilles. “Our interest is in having a certification to the evolving open standards, and we wanted to make sure that our investment lined up with that,” Staggs told Automation World. Counterpoint At Wurldtech, however, executives are quick to dispute any assertion that Achilles won’t provide mapping to the future ISA-99 standard. “We’ve been at every SP99 meeting, so we’re more than happy to be involved in the ISA process,” said Wurldtech Chief Executive Officer Tyler Williams. In addition, according to Nate Kube, Ph.D., Wurldtech chief technology officer, the company has been beta-testing at several customer sites an appliance called the Achilles Assurance Platform that can be used as a quality assurance tool for security testing by controls vendors. And on Aug. 24, Wurldtech announced a new version of the platform code named the Achilles Satellite, which Kube says is geared more for use by end-users. The Achilles Satellite will be introduced during the ISA Expo Oct. 2-4 in Houston, Wurldtech said. Both the current version of the Achilles Assurance Platform and the new Satellite version will be commercially available in this year’s fourth quarter. Certification wars? The emergence of dueling security certification programs is raising concerns among some process control vendors. “I don’t want to see us get into certification wars, where we’ve got to start getting multiple certifications that essentially do the same thing,” said Bob Huba, senior product manager, DeltaV, at Emerson Process Management, in Austin, Texas. Emerson acquired Achilles certification for its flagship DeltaV Controller at the request of certain customers, Huba told Automation World. If Emerson receives requests from customers to also acquire MUSIC certification, the company will look into it, he noted. But Huba sees a need for a third-party to arbitrate the best security certification approach. “Somebody along the line has got to decide which one of these (Achilles or MUSIC) fits the bill, if it comes down to a choice, or if they’re both acceptable,” Huba observed. Ernie Rakaczy, director of control systems security at Invensys Systems Canada Inc., took a similar tack during an interview. “We’re at a point in time where security testing is going to be critical for manufacturing products coming out of the factory,” Rakaczy noted. “We’ll have to embed in our QA (quality assurance) practices a set of criteria that will validate the security settings of the devices, and the source code that’s being created.” But those criteria haven’t yet been established, he said. So to some degree, both Wurldtech and Mu Security “are putting the cart before the horse” in offering certifications today, Rakaczy opined. Rakaczy said that the needed criteria may eventually come together through the activities of various organizations, including the proposed ISA Security Compliance Institute. The ISCI—which is still in its formative stages—has as part of its mission to “accelerate the development of industry standards that can be used to certify that control systems products meet a common set of security requirements.” The body is seeking founding members from among the vendor and user communities who will provide funding and strategic direction. The ISCI membership application due date is Sept. 1, and if the organization hits its 21-month launch plan, conformance certifications would begin in June 2009. Emerson Process Managementwww.emersonprocess.comHoneywell Process Solutionshttp://hpsweb.honeywell.comInvensyswww.invensys.comMu Securitywww.musecurity.comWurldtech Security Technologieswww.wurldtech.com
