Cyber security certification becomes a focus of process security

Paul Boughton

As greater demands are placed on the process industry's digital infrastructure, threats to cyber security continue to grow. Sean Ottewell reports on one solution to ensure that automation and control products are certificated properly.

Digital infrastructure is at the heart of all process activities these days. And while the industries involved may differ, they are all dependent on large-scale computer networks such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, process control systems (PCS), or distributed control systems (DCS), to monitor, control, and safeguard their industrial operations.

However, the demand for increasing connectivity between these has also brought security risks that if left alone could threaten the reliability and integrity of critical infrastructures.

It was against this background that a small team of internationally-recognised cyber security experts and industrial automation engineers founded Wurldtech in 2007 to create a suite of solutions specifically to help industrial stakeholders better identify and mitigate cyber security vulnerabilities in critical infrastructures.

Testing and remediation solutions

Today, Wurldtech counts some of the world's largest industrial organisations as customers and continues to be recognised as the leading provider of cyber security testing and remediation solutions to critical infrastructure suppliers, system integrators and end-users worldwide.

For example, Invensys Operations Management (IOM) a global provider of technology systems, software solutions and consulting services to the manufacturing and infrastructure operations industries, has announced that its Foxboro I/A Series distributed control system (DCS) operator workstations have passed Wurldtech's Achilles cyber security certification test.

The testing was conducted on the Foxboro I/A Series model P92 workstation for Windows hardware and I/A Series AW70 human machine interface (HMI) software for the Microsoft Windows XP operating system, including I/A Series FoxView, FoxAlert, Alarm Manager and System Manager applications.

The I/A Series model P92 workstations are the first host-based devices (HBD) to achieve this globally recognised benchmark for communications security and robustness and join a long list of other certified controller products that have achieved the Achilles certified designation, which IOM describes as among the most recognised and respected for process automation, control and safety system robustness (Fig. 1). As proposed by the ISA99 security standard, an HBD is a general-purpose device running a general-purpose operating system capable of hosting one or more applications or data stores. Examples include HMIs, engineering workstations, historian servers and domain controllers.

"End-users continually ask us how to evaluate a vendor's claims about product security," said Tyler Williams, president of Wurldtech. "Here is a prime example of a vendor doing all the right things to ensure safe, secure and reliable industrial operations."

"Our customers demand the utmost in secure process control systems," said Ernie Rakaczky, IOM security programme manager. "The testing conducted using the Achilles test suite covers the most common cyber security threats. IOM has also embraced the underlying requirement of a well-established software development lifecycle that incorporates security fundamentally, and has also adopted Achilles certification as an integral part of our QA strategy. We see the certification of the Foxboro I/A Series operator workstations as another step toward helping our clients achieve safety and control excellence, and look forward to driving more of our products, applications and practice though a defined Achilles certification."

IOM also recommends that customers assess their overall cyber security capabilities as part of an ongoing security and robustness programme for their computerised industrial systems.

Certified defences

Meanwhile Wind River, a world leader in embedded and mobile software, has announced that its VxWorks is the first real-time operating system to be certified under Wurldtech's Achilles certification programme. This will enable Wind River's customers in the process automation, power and energy, oil and gas, transportation, and medical market segments to deploy VxWorks with certified defences against cyber attacks.

VxWorks meets the Achilles certification conformance requirements at gigabit ethernet, passing both 100Mbit and 1GigE certifications, which are recognised by most industrial and medical manufacturers to defend control devices against increased exposure to cyber security attacks. The Achilles certified designation has been integrated as a mandatory selection requirement by many of the world's largest industrial organisations, from all critical infrastructure sectors such as Shell and Total, and has already been implemented in more than 14 industrial control systems from manufacturers such as ABB, Honeywell and Emerson.

Achilles certification directly addresses cyber security at a time when accessible, affordable, high-speed connectivity has created increased vulnerability to malicious cyber attacks. Now Achilles Certified, VxWorks allows developers to build secure devices conforming to the Achilles certification, leveraging a prevalidated, real-time operating system that limits unpredictability, compared to a noncertified operating system or application.

Application developers can now utilise a platform that has already been certified by a trusted third party, bringing more predictability to a time-consuming, complex and costly process.

Developers can rely on the Achilles certified platform, with included networking stack, to be a trusted component of their overall end product and can benefit from faster time-to-market, lowered development and certification expenditures, as well as less overall risk of cyber attacks.

"As cyber threats to mission-critical systems continue to grow in frequency and complexity, it is critical to have a secure infrastructure that protects vital data against hackers," said Jens Wiegand, general manager of industrial and medical solutions at Wind River. "Having achieved the Achilles certified designation from Wurldtech, our customers can now develop their entire device on a secure, certified, out-of-the-box platform, while minimising the final certification process, shrinking application development time, driving costs down and increasing competitive advantage in a global market."

"The security and robustness of critical digital infrastructures must improve given the evolving nature of cyber risk and the increasing cost to end users associated with disruptions to industrial operations or breaches in data integrity," said Dr Nate Kube, chief technology officer of Wurldtech Security Technologies. "Suppliers integrating VxWorks into their critical control systems will now have an additional level of assurance that network stack communications are safe, secure and reliable. We are pleased to collaborate with Wind River and will continue to address key challenges facing embedded device makers against cyber attacks."

In other news, Siemens has selected the Achilles Satellite to enhance internal robustness testing best practices for its range of industrial automation and control solutions. "Siemens considers the security and robustness of our industrial control systems portfolio of critical importance. By integrating the Achilles testing platform into the development life-cycle of our process automation, control and safety solutions, we are able to validate resilience from design through deployment and help our customers maintain safe, security and reliable industrial operations," said manager Thomas Brandstetter.

The Wurldtech certification has also announced the 20th Achilles certified industrial control system. The HIMax safety controller from HIMA has achieved the internationally recognised benchmark for system security and robustness on the previous 2.14/2.16 and latest 3.8/3.12 versions.