HUG: Understanding Security and Standards

Wednesday, November 6, 2013 @ 06:11 AM gHale

By Gregory Hale
Security can be that big bad all encompassing and confusing quagmire that can consume a user, or you can have Johan Nye break it down to make is seem simple and understandable.

Cyber security is a shared responsibility between suppliers, integrators and asset owners,” said Nye, senior engineering advisor at ExxonMobil Research and Engineering, co-chairman of the ISA99 Working Group 4 Subcommittee, which is developing technical requirements for the Security of Industrial Automation and Control Systems and chairman of the ISA Security Compliance Institute Governing Board, which is developing the ISASecure certification program for Industrial Automation and Control Systems cyber security. “It is a supply chain problem. It starts with suppliers where products have to be security by design and by default.

HUG: Proactive Security
HUG: Safety, Security are One
HUG: Take Security Seriously
HUG: Security, Safety Front and Center

“We have a good track record with safety, but now we have to pick up security,” he said during his talk Wednesday at the 2013 Honeywell User Group (HUG) EMEA conference in Nice, France.

There are methodologies to secure industrial automation and control systems, Nye said. There is the NIST Cybersecurity Framework; there is the ISA99/IEC 62443 standard, and the ISA Security Compliance Institute.

The NIST Cybersecurity Framework is a voluntary framework to improve critical infrastructure. It can be a high level framework within your company where you can go to the executive level and talk security without having to get into the technical details. “If you start talking about things like buffer overflows you lose the executive within five minutes,” Nye said. The framework talks about risk and that is something executives can understand. What is important is how you are going to respond if the worst happens.

The ISA99/IEC 62443 standard has been in development for quite a while and has four components: General, policies and procedures, system and components. While there are subsections within those four areas, Nye said they apply to certain segments of the industry.

“What is good about having a standard is there ends up being a common terminology,” Nye said. “The standard allows everyone to talk to each other and they are on the same page.”

Standards can be intimidating at first, but after you break them down, they can become very understandable, Nye said.

“Cyber security is mainly an art. There are not enough cyber security gurus out there to secure all the critical infrastructure. What we have to do is turn an art into an engineering discipline.”

Within the standard there are areas that can make security a bit more understandable, like security zones and conduits. A zone is a grouping of logical or physical assets that share common security requirements. A Conduit is simply the connection between zones.

There is also the idea of security levels, which are somewhat similar to safety integrity levels. Security level one would simply cover an employee having an accidental or casual introduction of malware. Where security level 4 would be an attack from a nation state that could focus on an advance persistent threat.

After the user understands and implements a standard, then there is compliance and that is where the ISA Security Compliance Institute (ICSI) comes into play.

ICSI introduced ISASecure a little while ago and that is an internationally accredited conformance scheme that ensures the certification process is open, fair, credible and robust, Nye said. It provides global recognition for ISASecure conformance.

“It is important that security is thought of throughout the lifecycle,” Nye said. “Security is not like an M&M where it is hard on the outside, but soft on the inside. It has to be like a hard candy: Hard on the outside and hard on the inside.”

Leave a Reply

You must be logged in to post a comment.