Joining end-user companies such as Shell and ExxonMobil and automation vendors like Emerson and Honeywell, and Control magazine, ISA's new "Automation Federation" will participate in the formative study being conducted by Wurldtech Analytics toward forming a Control Systems Security Foundation (see "Raising the Bar for Control System Security"). Wurldtech's task is to evaluate the feasibility of creating a set of well-engineered specifications and processes for the security testing and certification of critical control systems products. ISA states, "The Automation Federation will provide financial and personnel support for the initial feasibility study project."
Over the past few years, research has shown that SCADA and control system products often have serious security vulnerabilities. These vulnerabilities leave control systems exposed to viruses, hackers, and possibly terrorist activities from around the world. Industry standards like those arising from ISA-SP99 and NERC CIP-2-9 and the work of the OMAC MSMUG group have been addressing this issue from an end-user prospective, but this new initiative aims to help define methods by which suppliers of products can validate that there products afford the necessary level of secure operation. With this program, control system suppliers would be able to offer products that are proven to meet a standard set of minimum security requirements.
Joann Byres, Wurldtech’s applied research director, says "The deliverables for the study will include investigation of critical success factors in industrial certification organizations; an incorporation model designed to best meet the needs of industry (e.g. non-profit or for-profit); a proposed accreditation model and guidelines for interaction with standards bodies; governance, membership, code of conduct and voting model; legal and property rights guidelines; proposed budget and membership fee model; multiyear time line and milestones for the setup and operation of the organization; long-term sustainability of the organization; and an estimation of member commitment requirements in time and people. We expect the proposal will be completed by September 2006, and an organization could be launched in early 2007."
Eric Byres, Wurldtech’s director, adds, “Our vision is that any certification organization that arises will work very closely with existing standards groups. We'd give them both the draft documents that can be formulated as standards and the supporting research to enable informed decisions on security standards.
"We welcome the Automation Federation's support, especially because of the work of ISA and OMAC in the security standards arena, and we're looking forward to a close partnership."