The Push for Industrial Cyber Security Standards- A Look at Underwriters Laboratory’s Efforts

The Push for Industrial Cyber Security Standards- A Look at Underwriters Laboratory’s Efforts

By Bill Lydon, Editor, Automation.com

Given the recent rise in cyber attacks, cybersecurity is one of the biggest industrial automation industry concerns today. While industrial automation suppliers can claim products are cybersecure it is hard to prove.  Standards and certification, like electrical and safety device requirements, today for cybersecurity are one such way for companies to illustrate that proof. I had a discussion with Edgard Capdevielle, CEO of Nozomi Networks, about Underwriters Laboratories recent efforts to create cybersecurity standards for the Industrial Control industry in collaboration with the Department of Homeland Security and the Defense Advanced Research Projects Agency.  The standards were developed in order to provide hard cybersecurity criteria for testing third-party hardware and software as well as to offer vendors a source with which to validate their cybersecure claims.

Edgard Capdevielle is passionately focused on the issue of industrial cybersecurity.  Referring to the National Infrastructure Advisory Council report that describes how, although government and the private sector have resources to secure critical infrastructure against targeted cyberattacks, they are not properly organized, harnessed or focused, he emphasized the importance of UL development this way,

“Having UL standards and certifications for industrial cybersecurity will advance the practices of vendors in terms of building cybersecurity into their products and will make it easier for industrial organizations to purchase products that are designed with cybersecurity in mind.  As ICS vendors already work with UL for a wide variety of certifications, having UL certify products for cybersecurity fits with existing processes and just makes sense. The new UL standards help embed good cybersecurity design into product development cycles, which is a positive step forward.”

 

Should Cybersecurity Standards be Legally Binding?

So this leaves open the question, is this standard going to be based on legally binding requirements?   I posed this question to Capdevielle. “From one perspective it should be. It is concerning that in some areas of technology if you and I wanted to build a car from scratch to sell, we cannot do it.It would be illegal for us to do it without airbags and seatbelts.” Capdevielle replied, “However, we are able to operate electrical plants and ship products that are controlling electrical plants, dams, oil & gas plants, oil rigs without any legally binding requirements.”

To put this into perspective, Capdevielle discussed a recent purchase of a large amount of what was considered the “latest and greatest” industrial control equipment. This purchase included PLCs for their labs from a large well-known vendor, but even here they found security issues.  “We have an intern here, whose job it is to find cybersecurity vulnerabilities, who found extremely basic vulnerabilities in the new products, which were present in an earlier models of this PLC, had been corrected, and now reappeared again in the latest version,” described Capdevielle, “These controllers could have been shipped to a nuclear plant, oil refinery, dam, or other mission-critical application.”

This anecdote emphasized Capdevielle’s main point, “It is alarming that ICS products will never be designed with cybersecurity in mind unless it impacts the financial bottom line,” griped Capdevielle,  “The only way this can affect the bottom line is enforceable legal requirements. The implication is if there are legal requirements for cybersecurity similar to UL electrical requirements, there is a direct financial reason for companies to get serious.

 “Whatever the standard is, it won’t be adopted by all vendors unless it is legally enforced or government mandated.  If not, you will have what you today, best effort. To date, that has resulted in many ICS products that are insecure.”

But wait, aren’t there already efforts that have created standards for cybersecurity? Capdevielle was harshly critical about these ‘standards’ saying, “Thirty thousand feet high discussions about cybersecurity that talk about process, risk management, and recommendations - at the end of the day doesn’t translate into anything meaningful.”

 

About Underwriters Laboratories Cybersecurity Assurance Program (CAP)

The UL Cybersecurity Assurance Program (CAP) was developed with input from major stakeholders representing the U.S. Federal government, academia and industry to elevate the security measures deployed in the critical infrastructure supply chain.  The standards were developed to provide cybersecurity criteria for testing to validate the security claims of vendors.  The UL CAP security efforts are recognized within the U.S. White House Cybersecurity National Action Plan (CNAP) as a way to test and certify network-connectable devices within the IoT supply chain.  UL is an established global company with over 120 years of history that certifies, validates, tests, verifies, inspects, audits, advises and educates.   

UL Standard Resources

 

About Nozomi Networks

Capdevielle and Nozomi Networks work to provide Industrial Control System (ICS) cybersecurity with real-time cybersecurity and operational visibility. Since 2013 the company has innovated the use of machine learning and artificial intelligence to meet the unique challenges of critical infrastructure operations.  Nozomi Networks works to deliver both cybersecurity and process anomaly detection along with industrial network visualization and monitoring, asset inventory, and vulnerability assessment. The company’s offerings are deployed iin many of the world’s industrial installations delivering cybersecurity and operational reliability with one end-to-end solution. Nozomi Networks is headquartered in San Francisco, California.    

 

Bill’s Thoughts & Observations

Based on the many industry presentations I have attended, along with multiple vendor and user discussions, I have heard a great deal of talk about cybersecurity protection, but it still seems to be a low investment priority. Around the world discussion swirls around the creation of a legally binding cybersecurity requirements for industry to protect society.  This would parallel fire safety laws, product certifications, and facility site certification.  Given that UL in North America is a prime certification group for electrical, industrial control panel builders, fire safety, and physical security, it is really not surprising that they would be involved in cybersecurity.

In my view the state of cybersecurity has a strong similarity to the push for the application of training, best practices, devices, systems, and procedures needed to meet plant/machine safety goals and requirements. Many of us forget that it took the force of law, with enforcement including fines and incarceration, to bring about a culture of safety and investments.   For example, the United States government established the Occupational Safety and Health Administration (OSHA) under the Occupational Safety and Health Act, signed into law December 29, 1970. OSHA was empowered to levy fines for non-compliance and, over many years, safety has become ingrained in the industry. Ultimately, industry started to reap the returns from safety systems and understood the overall value, increasing not only safety, but productivity and innovation as well.

Will this tack be necessary for cybersecurity? Hopefully not, as industry professionals should be mature enough to embrace cyber security measures and reap the benefits prior to a cyber emergency.

 

Related Articles

MORE ARTICLES

VIEW ALL

RELATED