As the incidence of cybersecurity threats in automation systems continue to rise, the automation world continues to grapple with how to address these issues. There are many good practices published in the IEC 62443 series of standards available to end users such as creating demilitarized zones between the business network and the industrial network, banning the use of portable devices on the industrial network, ensuring that security patches are installed regularly, etc. While these solutions all make a lot of sense, I recommend attacking the problem at its core. Patching, for example, is very important, but it is also very expensive and carries some extra risks in an automation system such as impacting the performance of a critical process. Wouldn’t it be better to solve the problem by making products that don’t require security patches in the first place?
I guess the obvious answer to this question is Duh! Of course this would help solve the problem, but is this even possible? While it may not be possible to make products completely free of vulnerabilities, the world has learned a lot about the source of vulnerabilities and methods used to exploit them over the past 10-15 years. As a result, significant strides can be made to reduce the number of vulnerabilities in a product. It would stand to reason, that applying these lessons to new or existing products would be a good place to start.
Fortunately, this has started happening. The concept of following a secure development lifecycle (SDL) when developing products is gaining traction in more and more companies In fact, Schneider Electric and Honeywell Process Solutions recently becamethe first companies in the world to receive an exida SDL certification based upon IEC 62443 which shows they are following industry best practices when developing new and existing products. Several other automation suppliers are moving toward this goal. This is a very good thing for long term automation cybersecurity.