With national governments around the world pushing for increased security and users also seeking reassurance, it's no surprise that many of the major control and automation equipment manufacturers are putting their products through cybercertification regimes.

Over the past year, Wurldtech Security Technologies, headquartered in Vancouver, BC, Canada, has become the leading provider of security solutions to SCADA, process control and mission-critical industries.

Founded in 2006 based on research conducted at the British Columbia Institute of Technology (BCIT), Wurldtech says that it is committed to delivering breakthrough products and services that help protect global critical infrastructure and address the security needs of major industrial organisations and government agencies worldwide.

Its Achilles assurance platform, created by the company’s team of network security experts, control system engineers and white hat hackers, is the first automated and comprehensive testing product for assessing vulnerabilities and security threats to devices and networks supporting critical infrastructures worldwide.

As a result, it is becoming an important asset for the technology providers. For example, the latest device to gain Achilles certification was announced on 4th September as ABB’s AC800M industrial controller.

“Control systems must meet very high requirements on security against cyber attacks,” says Thomas Pauly, responsible for cyber security in System 800xA. “This requires meticulous development processes and advanced methods and tools for verification. Wurldtech’s Achilles plays an important role in how we achieve that.”

“Secure and robust process control networks are a key element to the safe and secure operation of some of the world’s most critical systems. Asset-owners and operators alike are looking for assurance that products they purchase meet stringent security, robustness and performance benchmarks,” said Tyler Williams, ceo Wurldtech Security Technologies. “When operators select a controller such as the AC800M that has passed the rigorous testing of the AchillesLevel1 certification, they can be confident the product will improve the safety and reliability of their operations.”

Achilles certification required the AM800M to maintain control functionality while being systematically attacked with network tests designed to verify protocol stack robustness, compliance with specified protocol standards, and proper handling of rogue and invalid protocol packets.

ABB’s latest success follows on the heel of Emerson Process Management and its DeltaV controller and firewall. The DeltaV digital system is a key component of Emerson’s PlantWeb digital plant architecture and passed over 20 million tests to achieve Level1 certification.

“This is another step in our on-going effort to provide a highly secure control network that began when the DeltaV system was first developed,” said Duncan Schleiss, vice president of marketing, process systems and solutions, for Emerson Process Management. “Starting from the initial release, the DeltaV system has provided security features such as anti-virus protection and role-based user security, and is architected as a private network to keep the control system separate from any non-control networks. The use of DeltaV firewalls provides a plug-and-play security solution for DeltaV systems to deploy recently tested security solutions.”

The challenge in testing automation controllers lies in a lack of detailed information available to vendors about the protocol stacks they are using, especially when used in conjunction with their own proprietary protocols. Achilles certification overcomes this problem by combining mathematically rigorous test-packet generation with highly advanced black box monitoring techniques. Complex sequences of test packages generated automatically enable precise trace identification for any points of concern to discover both known and unknown errors and vulnerabilities.

“Automation engineers can have a higher degree of comfort knowing that DeltaV controllers have passed an accepted set of test suites and test parameters,” said Bob Huba, senior product manager for Emerson Process Management. “Controllers with Level1 certification have demonstrated the robustness to survive network cyber attacks. One real benefit of passing these rigorous tests is to provide users with the ability to better plan the installation of security updates and new anti-virus signatures. Knowing that the controllers can survive a possible security incident provides an opportunity to schedule these patching tasks around process activities rather than always immediately deploying the updates.”

Key supplier Invensys process Systems is up there, too. Its Triconex unit has announced that the Tricon version 10.3 has also achieved Achilles controller level1 cyber-security certification.

“As the world leader in safety system technology, Triconex has a proven track record in delivering safety solutions that combine high reliability and availability with excellent integration with DCS systems – without compromising either safety or security,” said Luis Duran, Triconex Brand Director. “Triconex systems have established the industry benchmark relative to international functional safety certifications. The achievement of Achilles certification for our Tricon system platform demonstrates our leadership in

cyber-security, as well.”

The process control industry is moving from using proprietary communications to using open standards and protocols such as Ethernet, TCP/IP, and OPC to integrate Safety Integrated Systems (SIS) with Distributed Control Systems (DCS). Thus, it is becoming increasingly important that the safety system is fully protected from external hostile intrusions that could place personnel at risk and/or cause incalculable damage to industrial assets.

To this end, Triconex recently introduced a new Tricon Communications Module (TCM) with embedded OPC server. The TCM, which was used to communicate to the Tricon controller during the Achilles testing, is specifically designed to facilitate a secure information flow from the Tricon safety system to distributed control systems using standard protocols.

A better vista

Meanwhile, COPA-DATA’s security considerations have a different focus. The company has announced that its new zenOn 6.21 is the first 100percent Vista compliant HMI/SCADA software.

“Microsoft is pleased that COPA-DATA has earned the Certified for Windows Vista software logo for their zenOn application,” said Brad Goldberg, general manager for Windows Vista product management at Microsoft. “This highlights COPA-DATA’s commitment to providing its customers with higher quality applications that deliver a more secure, reliable and compatible experience with Windows Vista.”

COPA-DATA has worked closely with Microsoft throughout the development of Windows Vista in order to ensure that their new version of zenOn is fully compatible with the new operating system. This cooperation has also enabled the independent SCADA provider to take full advantage of all of the new features present in Vista, culminating in a stable and secure offering for industrial application.

Company product manager Reinhard Mayr commented: “New PCs are shipped running Vista and our customers will need their projects to operate reliably and safely on their new and replacement terminals from day one, making good use of the new features available.”

The most significant of these features, according to COPA-DATA, is the new user account control (UAC). This new security model improves upon previous versions of Windows by providing more granular control over memory access, and application and user permissions.

*As APE went to press, the ISA was waiting to hear if it had enough interest from major control system suppliers and users to launch a Security Compliance Institute (SCI). If so, the SCI will then begin the task of establishing a set of well-engineered specifications and processes for the testing and certification of critical control systems products.