How well are manufacturers providing cyber protection for the equipment they provide to utilities?
Cyber security breaches get a lot of our attention (when we hear about them, that is). For example, one news item in 2014 that caused a great deal of outrage was a revelation regarding spyware being planted on electronics equipment.
While outrage over cyber security breaches has its place, the negative perceptions from a corrected breach, such as the 2014 NSA breach, easily stay in our minds, even after the correction. And it is way too easy for most of us to magnify cyber negatives without balancing them against cyber positives.
For one thing, most of us don’t hear about intrusions that were stopped. In addition, when manufacturers tell us they have immediately addressed a vulnerability, and/or know of no new vulnerabilities, and/or have closed any possible “back doors” in their products, it highlights our fears, rather than giving us much of a sense of comfort.
Some “cyber positives” of recent note involve a key standard, IEC 62443, which has evolved into one of the most future-oriented security standards worldwide. It goes further than other standards and defines requirements for all parties involved, including product suppliers, system integrators and operators.
A 2014 Transmission & Distribution World article, "Cyber security: Protecting critical infrastructure in a changing world" by ABB characterized the issues addressed by IEC 62443 and related standards well—the article’s four co-authors stated: "The future of industrial-control-system cyber security is comparable to the enterprise IT domain, where security has become a part of daily life with automated software updates, security patches and antivirus updates in order to thwart a growing number of threats."
IEC 62443 is an ISA Security Compliance Institute standard. The institute was founded in 2007. Its mission is to provide the highest level of assurance possible for the cyber security of industrial automation control systems. Key Technical Members include Leidos (formerly Industrial Defender), Honeywell, Invensys Process Systems, Siemens, and Yokogawa, Rockwell Automation, Mu Security, and Wurldtech Technologies, along with BP, Chevron, ExxonMobil Research and Engineering.
Under the ISA 62443 standard, Siemens’ secure substation framework has been certified to meet requirements for system integrators (per IEC 62443-2-4) and requirements for the security functions of systems (per IEC 62443-3-3). The Cyber Security certificate for digital grid automation and network automation solutions was awarded in accordance with the international standards series IEC 62443. This means Siemens ensures the necessary transparency of the security-relevant procedures in line with the standards. (See this Jan. 23, 2017 press release.)
Additional recent examples involve Honeywell, whose Phoenix, AZ facility received IEC 62443 ISA SDLA lifecycle certification in Jan.11, 2017, along with earlier announcements for compliance with other ISA standards by Hitachi and Schneider Electric.
More information on the IEC 62443 Conformance Certification is available at http://www.isasecure.org/en-US/About-Us