The International Instrument Users Association published the second version of its Process Control Domain Security Requirements for Vendors document, which, according to the association, is the first international standard of cybersecurity best practices for suppliers of industrial automation and control systems, also known as supervisory control and data acquisition (SCADA) systems. These systems control the processes of key industries, such as oil and gas, chemical, and electricity.
The effort to develop these standards was spearheaded by industrial companies such as Shell, BP, Saudi Aramco, Dow, DuPont, Laborelec, and Wintershall, as well as vendors such as Invensys and Sensus, and government agencies.
The standards were developed to address a range of cybersecurity topics relevant to industrial stakeholders: from high-level requirements for vendors' internal security policies, procedures, and governance, to specific requirements concerning access/authentication, data protection, default password protection, and patch management.
“The security requirements outlined in the document went through a year of comments/revisions from over 50 global stakeholders and were subjected to a thorough pilot certification program over the last eight months", explained Jos Menting, cybersecurity advisor to GDF Suez Group. "We've now come to a truly functional cybersecurity standard based on the needs of end-users, and it is now up to us, the end-users, to take advantage of this effort and insist that our vendors are certified."
The standard’s requirements are broken down into three levels designed to reflect various starting points of suppliers and provide a scalable framework to plan improvements over time. In the program, there are gold, silver and bronze levels, each consisting of a set of requirements designed to verify that applicable policies and practices are in place, enabled, and practiced by the vendor.
“Our increasingly connected production systems are facing a growing threat on a daily basis and we must do all we can to ensure a safe and secure operational environment", said Peter Kwaspen, strategy and development manager for EMEA control and automation systems at Shell Projects & Technology. "This document provides the common language we need to communicate our expectations around security to our suppliers and the framework to work together to help improve the overall security posture for our critical systems."
Members of the association’s Plant Security Working group have begun implementing the standards into their procurement processes. Suppliers of industrial process control and automation systems are also starting the process of integrating the requirements into their organizations.