As the incidence of cybersecurity threats in industry continue to rise, the automation world continues to grapple with how to address these issues. There are many good practices available to end users such as creating demilitarized zones between the business network and the industrial network, banning the use of portable devices on the industrial network, ensuring that security patches are installed regularly, etc. While these solutions all make a lot of sense, I recommend an attack at the problem core. Patching, for example, is very important, but it is also very expensive and carries some extra risks in an industrial automation system such as impacting the performance of a critical process. Wouldn’t it be better to solve the problem by making products that don’t require security patches in the first place?
I guess the obvious answer to this question is Duh! Of course this would help solve the problem, but is this even possible? While it may not be possible to make products completely free of vulnerabilities, the world has learned a lot about the source of vulnerabilities and methods used to exploit them over the past 10-15 years. As a result, significant strides can be made to reduce the number of vulnerabilities in a product. It would stand to reason, that applying these lessons to new or existing products would be a good place to start.
Fortunately, this has started happening. The concept of following a secure development lifecycle (SDL) when developing products is gaining traction in more and more companies. In fact, Schneider Electric recently became the first company in the world to receive the SDLA (Security Development Lifecycle Assurance) certification which shows they are following industry best practices when developing new and existing products.
In addition, the industry is making great strides in standardizing these practices. The International Society of Automation (ISA) recently published a draft standard based on this concept of the security development lifecycle. This standard, IEC 62443-4-1 Security for industrial automation and control systems Part 4-1: Secure Product development lifecycle requirements, is now available for ballot and comment from ISA. I encourage you to take a look at this standard and to provide feedback to the ISA. Perhaps this will be a turning point in the war against cybercrime.