12/12/2014

Cyber Security in the procurement of industrial components

A chain is only as secure as its weakest link. For industrial networks this means that they are only as secure as the components and products of which they consist. But how do you recognise, in particular already at procurement, whether an industrial product has sufficient cyber security built-in?

The verifiability of cyber security is however especially questioned by operators of industrial plants who are at the mercy of manufacturers and integrators uttering terrific security promises. Thus it is worthwhile for each operator of industrial plants to establish a concept at an early stage on how security risks due to insecure components at the procurement can be reduced or passed on the supplier.

A common understanding of operator and his suppliers is required concerning the expectations and capabilities of cyber security in plant components or services. If the operator fails to do so, he or she unwittingly accepts the risks for insufficient or lacking security measures. He or she reduces operational cyber security permanently.

In addition, there is a second trend which makes „security housekeeping“ at procurement of industrial components even more imperative for each operator of plants: As especially larger operators increase the security of their plants, cyber criminals have spotted the often less secure suppliers as weak points in order to penetrate the value added chain. Numerous analyses of systematic hacking attacks show a 200% increase in small and medium-sized companies (up to 250 employees) in recent years. Small and medium-sized companies which are common among suppliers do only rarely classify themselves as interesting target of attack due to their size and imagine themselves to be safe by mistake. Big companies invest in fact more resources in security measures, but purchase substantial parts of the value added chain of their products, which may lead in case of lacking measures and prerequisites of procurement to considerable “purchased” security risks.

What should be requested during procurement of industrial components with respect to cyber security? The following elements can be demanded from suppliers during procurement, or at least enquired:

  • Evidence of compliance and implementation of latest approaches of secure software development: The supplier should provide evidence that cyber security is considered in his development and testing processes. As evidence can be considered e.g. results of independent security testing, documentation of developmental processes or a training certificate of developers for secure software development. In case of doubt, an external service provider can help to carry out benchmarking of the security capabilities of a supplier.
  • Explicit establishment of security requirements with the help of security procurement templates: There is a number of templates which can be used for the specifications of industrial components. These exist both, industry-sector specific (e.g. in form of a BDEW-Whitepaper for energy and water industry) and across all industries (e.g. WIB Process Control Domain for Vendors, INL Procurement Language). During procurement, these documents can be referenced by the purchaser. When dealing with these requirements, practices has shown it quickly separates the sheep from the goats: Suppliers concerned with security know these catalogues of requirements already and know how to deal with them.
  • Demand for certified robustness of network interfaces of industrial components: For the stability and robustness of network-stacks of industrial components, the „Achilles“-certificate of the Canadian company Wurldtech has become established on the market, which is also offered in German-speaking countries. In this case, attacks on the network interface of the automation device are sent via a network connection in order to test the robustness of basic protocol stack elements such as ARP, IP, TCP and UDP. During test execution, the response time of the device is measured on the network as well as the regular flow of the automation logic is observed. In order to pass an Achilles certification successfully, neither the response time of the network interfaces nor the automation logic may be significantly affected by the network traffic. A public list provides information on manufacturers who have already certified the network stacks of their industrial components.
  • Implementation of security acceptance testing: At the end of the commissioning phase, new systems or solutions should be tested by an independent expert on weaknesses. The proper debugging of detected weaknesses by the manufacturer/integrator should be agreed upon.
    Depending on the circumstances, one or more of the stated methods or sources are suitable to establish adequate security requirements and to pass them on suppliers. Only a few manufacturers are nowadays already able to meet nearly all possible requirements, in many cases compromises will be necessary.

We believe that cyber security must be established as “quality standards and criteria” already at procurement. Industrial components of higher cyber security quality, reduce security risks during operation, therefore it definitely is worthwhile to pay appropriate attention to them already at procurement.