When we were doing safety system designs in the 1980s, there was no Windows, there was no TCP/IP, there was no in Ethernet. We had to write our own protocols to transmit data to our I/O and our controllers.

Fault-finding was always a challenge . What we ended up doing was putting in what were known as “back doors”.  I could go up to some of our equipment that's running in automatic, I could plug into the RS-232 port on the front with a handheld RS-232 ASCII keypad. I could put in a sequence of ASCII keys and it would take the controller out of automatic. It would allow me then to start looking at the serial registers to see what was being transmitted, to look at the I/O memory, to see what was in the I/O, and I was able to manipulate things. When I finished, I could then put through a series of ASCII keys, and put it back into automatic. I can still remember those codes now. I'm sure some of those systems are still out there and probably still have these “back doors”, because back then we never thought someone would try and get into a control system. 

In the 1990s, the problem with every manufacturer doing their own thing meant that it was proprietary. So the poor old end-user would have to go back to the manufacturer or the supplier of the system to be able to get anything changed. Of course, change orders meant money. The end-users were fed up with this. They wanted more open protocols -- more open devices. In other words, devices that could talk to each other and they wouldn't have to go back to the same manufacturer every single time.

Windows came along in the mid 90s.  It gave customers a more open platform and we all know how secure early versions of Windows were.  Towards the end of the 90s, cybersecurity started being discussed. The SP99 committee was set up to look at and come up with some standards for cybersecurity. 

It wasn’t until 2007-08, when Stuxnet came along that people started to realize that control systems were now vulnerable. If you can get hold of a control system, you can do all sorts of damage. 

Eventually, various standards were pulled together into one international standard called IEC62443. This is now the primary cybersecurity standard for industrial automated control systems (IACS). 

If you're familiar with S99, you'll see that it does resemble an awful lot what's in that standard. Plus there's some NIST and other things in there.  It's a pretty well-rounded standard. 

The only difference is, with IEC 62443, it has requirements for end users and OEMs in the same standard. Whereas, when we look at the safety standard IEC 61508, it is specifically targeted for manufacturers, and IEC 61511 is specifically targeted for end-users. 

Related Items

exida IACS Cybersecurity Services

Tagged as:     stuxnet     sp99     SIS     NIST     iec62443     cybersecurity  

Other Blog Posts By Steve Gandy