Invensys: Security by Design

Wednesday, November 9, 2011 @ 07:11 AM gHale

By Gregory Hale
For a security solution to be successful, there needs to be a team effort between the end user and the supplier. The end user needs to work at taking care of their responsibilities, and the same is true for the supplier.

They need to ensure what they are delivering to the plant floor is secure and productive. That is why Invensys Operations Management has a rigorous security regimen its products go through before they are released.

Invensys: Power to the People
Invensys: People Keystone to Growth
Attackers Winning Security Battle
Survey: In Age of Attack, Providers Less Aware
Cyber Report: Chemical Industry Under Attack

“We are trying to protect what we can control, said Ernie Rakaczky, program manager for control systems cyber security at Invensys Operations Management at the OpsMange ’11 conference in Nashville, TN, Tuesday.

Rakaczky has said before a successful cyber security program has three major areas of focus. It has a user responsibility of 65 percent; supplier responsibility of 15 percent and a shared responsibility of 20 percent.

Each supplier, Rakaczky said, must be in position to support security requirements for
• Software development lifecycle
• Project execution
• Lifetime support for things like patch validation and software updates

“We want to address cyber security from its functional roots,” said Paul Fornay, development security architect, cyber security program at Invensys. “When a vulnerability exists, it is usually from the roots.”

Taking care of the baseline “root” of software development is Fornay’s mission so plants can remain as safe as possible. “I have walked through plants where there are some dangerous processes going on,” he said. “I don’t want anything to mess with the processes.”

When they do find out about a vulnerability, they don’t want to run and hide from the problem. Rather, they have to continue to test the code to not only fix that one line that may have a problem, but they want to ensure the entire software package is fully secure, Fornay said.

Secure software must provide the traditional CIA (confidentiality, integrity and availability), but from an industrial standpoint it also has to have Authenticity, Authorization, and Non-repudiation, Fornay said. One thing Invensys does is they do a threat modeling approach where they study the design of an application to identify any weakness.

Threat modeling is a key element of Invensys’ security development lifecycle, which defines a set of possible attacks to identify weaknesses and vulnerabilities.

To ensure secure software Invensys includes training for all software engineers around code testing and response to vulnerabilities, conduct assessments and roadmaps for all products and reduce the attack surface and number of security vulnerability reports.

Where vulnerabilities are discovered, having a security development lifecycle in place enables developers to respond faster to developing security updates, said Forney.

This way it ends up secure by design so they “are not patching something as it goes out the door. You need to build security in from the beginning. That is why we have a final security review before it goes out the door,” Fornay said. “If you want to have secure software, due diligence needs to be in place.”

Invensys talked about securing product before it ships, but what happens after it gets to the manufacturer?

That is where Invensys Critical Infrastructure and Security Practice (CISP) come in. They are the part of the organization that is a platform agnostic integration unit.

“Once the product is deployed in the field, you have to look and understand the people and the environment,” said Stephen Batson, principal architect with CISP.

What end users have to do and what CISP helps them understand is to develop a series of best practices so they can identify their assets and protect the key areas.

“The attack sophistication is growing and we are being targeted and as the attacks come everyone has to understand there is no silver bullet,” he said.

Leave a Reply

You must be logged in to post a comment.