SPS-Magazine article on Security Procurement

In the issue 3/2014 of the German SPS-Magazine, Peter Panholzer of Limes Security published an article on the importance of ICS operators including security requirements already during procurement.
The article details why security is a must-include during any procurement activities on the way to being able to operate ICS systems securely.
The message is rather simple: If operators procure components that lack basic security functions and have low resilience on their protocol stacks, it will be rather difficult and costly to compensate this.
Furthermore, the article also details what information operators should request from their suppliers.

  • Proof of adherence to secure software development methods
  • Dedicated and explicit security requirements, related to official standards and guidelines (e.g. NERC CIP, BDEW Whitepaper, IEC 62443)
  • Proof of resilience of network protocol stacks (e.g. Achilles)
  • Explicit demand for the conduction of security acceptance tests

The full article (German only) can be found here.