Cyber-Security Certification Program for Automation Controllers

As announced at the Digital Bond blog and noted on the Sound Off! blog, the DeltaV controller is included in the first group of controllers certified by Wurldtech’s Achilles Controller Certification. The purpose of this program:

The Achilles Certification Program was developed by Wurldtech and its partners to provide a benchmark for the certification of secure industrial controllers. The program is designed to assess the overall security of industrial controllers and certify that they meet a comprehensive set of requirements and conformance. The certification process presents device manufactures with an independently verified result from which to communicate their product security to customers, while providing the operators of control systems the most complete, accurate, and trustworthy information possible on the security of their deployed products.

I caught up with Emerson’s Bob Huba who has worked closely with Wurldtech in gaining certification for this important cyber-security effort. You may recall Bob from prior posts on the topic of cyber-security.

Bob feels this certification is important for process manufacturers. By doing device testing to an accepted set of test suites and test parameters, an automation engineer can have a higher degree of comfort that automation controller solutions have the robustness to survive network level cyber attacks.

Emerson customers have told Bob that one real benefit of this testing is that it gives them the “breathing room” to better plan the installation of security updates and new anti-virus signatures. Knowing the controllers can survive a security incident will greatly reduce the risk involved in having to schedule these patching tasks around process activities rather than always immediately deploying the updates.

Over time, Bob expects device testing and certification to become an even bigger part of the industry cyber-security and system robustness solutions. In fact, he just returned from a two day meeting of the newly forming Control System Security Certification Organization (CSSCO) in Houston.

At this meeting, the group defined as part of their mission:

to decrease the time, cost and risk of developing, acquiring, and deploying control systems by establishing an industry-based program to… facilitate the independent testing and certification of control system products to a defined set of control system security standards.

Bob noted that support for the CSSCO has been growing since several major asset owners proposed the initial idea of such an organization about two years ago. It has recently come under the auspices of the ISA organization. They are helping to develop this into a full standards organization. Bob suggests that if you are interested in this effort to look for more information coming out on this in the upcoming weeks.

Personally, he would like to see as broad a process manufacturer representation in this group as possible. To this end, Bob plans to invite members of the DeltaV community of users to consider participation in this effort. For those members who happen upon this post, feel free to contact Bob.

Posted Wednesday, May 16th, 2007 under Cyber-Security.

Leave a Reply