ICSJWG: Security with Suppliers

Wednesday, May 9, 2012 @ 07:05 PM gHale


By Gregory Hale
When in doubt blame the suppliers. That just used to be the way things operated in the manufacturing automation industry years ago. But today, there is an understanding “we are all in this together.”

“I am big on collaboration between the vendor community and asset owners,” said Rob McComber, security program manager at Telvent during the Wednesday panel discussion entitled, “Security Responsibilities of the Control System Vendors” at the ICSJWG 2012 Spring Conference in Savannah, GA. “We have the opportunity to add some pretty incredible value starting with security.”

RELATED STORIES
ICSJWG: Govt., Private Sector Partnership
ICSJWG: SCADA Systems Beware
ICSJWG: Users Need to Demand Security
ICSJWG: ‘Know Your Facts’

Panel members from some of the big names in manufacturing automation talked about various aspects they control like the design and architecture of a product to the implementation, then communication and to the various areas where they try to help the industry, like sitting on standards bodies.

But no matter what area they talked about, it all came back to being able to communicate with end users.

“We need a culture change to understand that we will have vulnerabilities,” said ABB cyber security chief, Markus Braendle. “All vendors need to have a formalized vulnerability plan. The first and foremost goal is to minimize risk for my customers.”

“It is also important to set expectations,” he said. “Customers and vendors need to talk. Users need to engage the vendor in discussions. Let them know what you want.”

“With all the systems we sell, it is difficult to know all of our customers,” said Graham Speake, principal systems architect at Yokogowa Electric Corp. “We have to make it easier. Let’s make it a standard way for end users to contact us.”

In addition to communicating with end users over security issues, the suppliers also need to work with customers on patch management issues.

“We rely heavily on third party software providers and the vendors need to support them also,” Braendle said. Microsoft is one example, but there are plenty of others that will need support. “Also, we need to support antivirus signature updates. We need to eliminate false positives.”

Suppliers today are now designing security into their products, which was something not even thought of years ago. So that level of change has brought new ways to go about building security into systems and making sure end users know what is in the device, software or system.

“Certification adds value,” said Paul Forney, chief technologist, supervisory platform R&D, Invensys Operations Management. “It is knowing the process that you have to go through and if you can pass the test, and there is a lot of work that goes into this, that has value. Yes, certification is valuable.”

“We all understand we have to build security in from the beginning,” Speake said. “We just can’t add it in at the end.”



Leave a Reply

You must be logged in to post a comment.