Here are a few disturbing cybersecurity facts for companies using Industrial Control Systems (ICS):
- Ransomware is one of the fastest growing businesses – generating over a billion dollars in 2016.
- 54% of ICS companies have suffered at least one cyberattack in the last 12 months1.
- 69% of ICS cybersecurity practitioners feel that the threat to ICS systems is severe to critical2.
It’s not all bad.
The industrial control industry recognizes the threat and has responded by supporting standards to strengthen cybersecurity.
There are several standards that touch on industrial cybersecurity – some target specific countries while others target industrial segments.
is one of the major standards backed by both end users and equipment vendors. Much of its marketplace power stems from the fact that it is written to be applicable across industrial segments and it has been accepted by many countries; it can also be applied to adjacent markets – like building control systems.
But with standards-based cybersecurity come a new challenge: insuring product compliance.
How can end users be sure the product they are evaluating meets the standard?
Standards documents are long and specialized. And even if the end user were to read the entire standard, inspecting the product for adherence to the standard is not a trivial process. So, how can end users hope to have confidence when purchasing products with standards-based cybersecurity?
Enter conformity certification
Conformity certification programs validate products’ compliance to published standards.
Major equipment suppliers (Schneider Electric, Honeywell, Siemens, Yokogawa to name a few) have selected the ISASecure Conformity Certification
(built on ISA/IEC 62443) as a foundational standards-based approach to drive device hardening.
Unlike competing certifcation programs, the ISASecure program certifies the asset over its full lifecycle, uses independent test laboratories, publishes its compliance regimen, and was built by a balance of stake holders (end users, suppliers, test labs, test tool suppliers).
For the past 8 years, the industry has been building products to be compliant with the ISASecure Conformity Certification.
Conformity certifications provide value to both end users and equipment suppliers...
Value of conformity certification for end users:
- Simplifies specification process – Specify ISA/IEC 62443 compliance rather than listing pages of individual requirements.
- Simplifies understanding of product capabilities – End users immediately understand security features implemented in compliant products.
- Cybersecurity capabilities validated by external entity – End Users have confidence that cybersecurity features are properly designed and implemented.
- Confidence that security features will evolve over time – Secure development lifecycle* insures that potential future cybersecurity vulnerabilities will be addressed. (*unique feature of ISASecure)
Value of conformity certification for equipment suppliers:
Creating a More Secure Future
- Differentiate solutions – Enables suppliers to derive marketplace value from product hardening by facilitating promotion of superior products (“our products are certified to level 2, competitors are certified to level 1”).
- Assures products meet cybersecurity requirements – Ensures proper implementation of standards, certified by an external organization.
- Cybersecurity is a dimension of product quality – Secure development lifecycle* ensures that cybersecurity is integral in product development. (*unique feature of ISASecure)
More and more end users are requiring secure ICS equipment. Conformity assessment programs like that provided by ISASecure are necessary to give end users assurance that standards-based cybersecurity features have been properly defined and implemented.
Implementation of the cybersecurity features defined in ISASecure Conformity Certification will result in hardened ICS products and systems. Specification of the ISASecure conformity certification by ICS end users is the next key step that will drive secure ICS solutions.
Kaspersky Labs State of Industrial Cybersecurity Survey, 2017.
Securing Industrial Control Systems, SANS 2017.