Cyber Security for the Industrial Environment: An Intro to ISA/IEC 62443

list we have about 50 to 70 or so active participants developing the standards so it's it's a reasonable group for a standards committee um and we have over 200 companies that are represented uh from all different uh all different areas of process and Industry industrial controls so we've got uh chemical processing we got like Dow and Dupont and Exon Mobile uh Petr cam uh um we got food and beverage so we've got like craft uh and couple others in there we've got energy so we've got like doe as part of it we've got some uh um uh a few uh energy like tnd people we've got some generator uh that are part of it Pharma we got like 3M there's Bayers

involved a few of those water we've got like WSSC which is the local DC um like water companies involved there's some other people as well and we got some manufacturing so like Ford GM and uh um some other uh uh like discret depart manufacturing Boeing as part of it things like that so uh and and we've got both end users and we've got vendors so the Seamans the emersons the Rockwell automations uh some of the the io vendors things like that we've also got them involved um so how does I how does the standard series relate to isa9 9 so there's the committee which is ISA 99 and that's a committee developing the majority of the standards in this series

and then there's series number and it's 62443 and that comes that numbering comes from IEC it's terrible but that's what we're stuck with um so Isa 99 produces the an Isa versions of the standard the national US national versions of the standard IEC tc65 working group 10 develops the IEC version um and they're officially responsible for the IEC International versions um and then we're actually participating with ISO um the group's doing the 27,000 series which is all the it security program stuff uh we're actually working with them as well so we're trying to really make this Global and trying to work to um really involve as as biger group as we can to to involve as much

Industrial Automation stuff get the biggest portion of all the industrial stuff together and solve the majority of the stuff and then have like each of the individual sectors or or each application go and try and modify it slightly for their their specific purpose so I I'll probably spend a lot of time on this slide just to give you an overview it's an ey chart this is available online so I'll just give you sort of an idea of what's going on in here

um no oh well not a big deal um so this top series up here is uh it's a bunch of standards and Tech reports and things like that that relate to Umbrella sort of over the whole thing so the first thing we started out with in the committee was coming up with a baseline set of terms and Concepts that we could actually all agree on and with when this all got started uh there were people that couldn't agree on the word security we couldn't agree whether we were dealing with physical security cyber security uh what levels that was integrated were we talking about was the network part of this or was it just the end ofice

es uh was the network going to be controlled by it was it controlled by the end user was it controlled by the vendor so we had to come up with just a general set of terminology that talked about everything and that we could all agree on um and actually that that was the first document that we put out so this the one up in this top Corner 1-1 that's a terminology models and concept that document came out in 2007 and it's currently under revision uh uh to try and bring in a lot of the stuff that we've uh talked about and modified since that originally came out the next document over is a it's a

master glossery uh that was sort of a a placeholder for us we just sort of like in in coming up with this terminology that was uh that was these were the terms that we agree on but there was a master glossy of just like here's all the terms that we've found out in industry and all their different uh versions of of uh definition and all the references that we could think of and we just sort of like piled them into a big database and now every so often what we're going to try and do is sort of roll that current database off to a actual document that we can publish and say this is the current set

of definitions for everything under the sun that we can think of not the stuff that's specifically just used in our standard this is everything um the next one over is is a compliance metrics it's a um trying to come up with some measure of how you measure security and the stuff that's specific to Industrial automation systems so it's not going to be cm it's not going to be a direct cmmi kind of like uh um maturity model kind of thing it's going to be taking in and trying to figure out how you how you actually measure security from an industrial point of view and it's also not going to be down to the bits and bites of uh okay

number of packet failures and uh uh stuff like that it's going to try and come up a a sort of like higher level stuff that that really makes sense to people and actually isn't uh doesn't have to be boiled down much more uh the other document of the series is a brand new document we're trying to come up with we're trying to come up with a a a document that represents a a large scale use case uh we're we're using a chemical truck loading facility as our use case and uh trying to develop a life cycle uh idea that go along with that so taking like the the Microsoft security life cycle and trying to expand that out to

include everything from uh initial uh project design through implementation through fat and Sack uh all the way out to decommissioning of these systems in anywhere from 25 to 50 years so that's all the umbrella stuff it it's stuff that covers sort of like the whole the whole series and then everything that below this is sort of broking down into uh different areas that we um that we're working with so the the second level down is all policy and procedure stuff so this is um this is uh in here it's developing your security program in an end user facility this is going and actually trying to take the 27,000 series and the nist sp800 series and boil that all down to

actually figure out what is is special about doing Security Programs in an industrial organization how do you have to go and modify that what what changes do you want to do things like not having three password lockouts on the nuclear power stations control center HMI things like that stuff that uh generally is more uh policy and procedure related than Tech related so that it may be it may relate to Tech uh and that's where the bottom layers come in but gener this is going to be the the stuff that you go along with creating roles and responsibilities for an operator that's down on the on the plant floor uh and he has different responsibilities than H than the

engineer in his office trying to like write the program to do stuff and then he has different responsibilities than the CIS admin and one of the things is the CIS admin shouldn't have ultimate superpowers they they should actually be locked down to where they can't do certain things like change system process variables those should be dictated by the engineer he may have he may have the ability to do system OS level stuff but he shouldn't actually be able to mess around with the user space stuff then the next document over uh that's actually getting into a guidance document so this document right here the 2-1 that's a what needs to be included in our program the next document over is

a guidance document to take how you go about doing that so there's a lot of issues of of uh the control guys and a lot of the engineers and stuff like that that are doing these programs in their real plants they are not security guys they are Engineers they know set points they know chemical processes they know how to build a network but they don't know how to do a lot of the running of it they don't know how to do the business level stuff of how you actually go about designing programs they don't know a lot of that stuff so we've tried to come up and we've got the idea right now it's it's a

light bulb because it's an idea it's it's it's vaporware right now um we we have not actually written it down but really it's going to be a how do you go about implementing this security program next document over is patch management uh a lot of these systems you can't patch for zero days it just doesn't exist a lot of these systems come down once a year for maintenance uh if that some of them don't come down for 20 years because they they work and they run and they're implemented and you don't touch them the old engineering adage if it works don't break it so don't try and fix it the next document over is actually

um it's an attempt to try and create some sort of certification for vendors that an enduser can actually verify that they're following their correct processes and they're designing a secure device but it's more about are they following their own processes that it is about um all the widgets and bits and bites that they can bake into their system so it's sort of kind of like an ISO 9000 or a 14,000 for an end for a vendor that an end user could come in and say are you certified at this level or this level to build a product uh if you've got somebody that that's certified at a level one can they build a level four

product that's supposed to be locked down completely and there's all there's issues like that right now um then everything down below is all text up so this this level we're dealing with system level text up so this is going to be when you bake when you build a system you have to use a certificate Authority or um or you have to use some sort of cryptographic certification of devices and authentication we don't specify what tech you got to use we don't specify uh levels of teex so we're not going to say you got to use AES 256 because the minute we do that 5 months down the road 6 months down the road that's old Tech so this is this is a

standard's point of view by the way one of these things you got to realize is that every single one of these standards has to actually be in place and unchanged for a minimum of 3 to 5 Years From the IEC level at 5 years you're supposed to go and refresh it or revote on it but it has to be in place for a minimum of three years and think about how many of you replaced your PC in the last 3 years think about how many times Windows has gone through updates in the last three years so everything that we're talking about here is functional requirements not actual interoperability and Tech requirement like down to bits and bites level

requirements someone would actually have to take this and say that at this point in time this technology meets this functional need um so yeah so this this level's all about system level stuff so the first document in it's actually a tech report saying okay what is a uh what's a f it's it's sort of like looking at the current state of technology and what general Tech things meet some of the requirements in the standard so a firewall in in all the other standards we don't talk directly about firewalls we talk about Network segmentation we talk about uh um directional flows we talk about restricting data flows things like that we don't talk about specific Tech that meets those needs this

document actually gets into some of the tech and and gives some guidance on how you try and configure some of that Tech to meet these needs but again it's not going into device level stuff it's saying this is a general type of device and it will meet most of these needs if it's config if it's configured properly that's another problem so then it's vendor agnostic it's all yeah this is all vendor agnostic we don't we avoid vendor stuff at all possibility um because it's IEC and ISO and and ancy we've really tried to avoid any references to any Tech we do actually have a few in the document uh but again those are generally in like notes or uh

um sort of like General discussions of stuff we mentioned Microsoft of course because there's no avoiding it but we we have avoided all like we don't Cisco or extreme or or Herman switches or Rockwell plcs or anything like that we talk about General CS is there any like uh suggestion between like proprietary and open source and Stu like that um no we've avoided all those discussions because generally that's a it's a it's a business decision in an organization to go with proprietary open source vendor specific uh all that kind of stuff um by the way yeah if you want to ask questions just speak up I I'm not in any like I don't like have to have 10

minutes at the very end to talk about that so that this is just sort of an application of current Tech the next one over this is uh actually let me talk about this one first this this 33 document that actually is um that's where we really get down into the tech require the the technical requirements for system level stuff and that's where we talk about uh adding a a certificate Authority you've got a this system that's a critical system has to work in what's called Island mode which is disconnected fully from the system and it still has to be up and running uh it gets into discussions of different levels of that uh so we have what we

call security levels 1 through four um just like the 800 series has uh the high medium and low for 853 uh for um we also have that in ours we call them security levels 1 through four and I'll actually talk about that in in a minute but this gets into the actual requirements and any enhancements that go along with that um the the requirement for having uh a password uh when it deals with uh resource availability availability stuff a password is actually a detractor to availability so for higher availability systems we have recommend ations to actually reduce some of the authentication and um uh access or some of the access control requirements for higher higher availability higher

criticality systems uh there's discussions of that kind of stuff in there as well so what we did generally with this document we started with 853 uh which is the NY NY special public special publication 853 it has a huge number I think it's like 214 or some large number of requirements in there specific and again system level requirements uh and we we took a look at those to start with as our like beginning place to start with and then really worked from there so we are we're up to I think we've got in the range of 114 120 kind of like requirements and ours and they all have been tailored for Industrial Systems so this is taking

them in all really looking at what's how you work for Industrial Systems and how you have to modify sort of the it stuff to really work in Industrial Systems and then this document in the middle this 32 is sort of a glue that holds together the program with the system level requirements and the actual device level Tech requirements this is where we talk about how you actually take the requirements that are written in here so your your uh um Hazard op your ha your hazops your hazard uh um analysis your consequence analysis that's done up in this stage and you translate that into security level requirements that are necessary to actually go into what the

real requirements for your systems are and how you design zones and conduits around thing and how you do your network segmentation and stuff like that to try and um build a better system from the ground up and then down here we actually got uh individual component level things so this uh this right here is actually taking the uh the Microsoft software development life cycle and trying to uh um uh take the idea of it and think about what's necessary for producing stuff at the industrial level um and then this is uh um security requirements for devices to meet these system level needs it's it's not a onetoone translation of what needs to be baked into a network switch to do some of the

requirements up here at the system level it's not really obvious sometimes what you need to bake into a logic controller or what you need to bake into uh software to meet some of the system level needs so this is where we've tried to break it down into a a device level um thing set of security requirements to meet those system level needs so 41 and software and 42 is hardware and uh 41 is actually overall life cycle so it includes Hardware design too not going to the sketchy Chinese uh or uh um Backwoods gray Market to buy your chips um not going to uh not doing a good General Hardware design and uh um reliability

analysis on your system uh and your your device once you get it in place not doing those reliability checks not not doing your due diligence when it comes to your overall your overall architecture of your design things like that okay so it's just overall it's overall so it's it's taking the concept of the the Microsoft software development life cycle that exists and is actually well established and and Microsoft is sort of trying to to use themselves uh and taking that concept and those ideas and trying to roll it into an industrial Market where you've got Hardware software uh integration um and then all the other headings that uh some other do doents in the series that are actually uh in the works

that don't show up in the the official work products diagram um when after stuck net came out um I know I'm I'm I'm not talking fud here so uh I'm not going to spread fear uncertainty and doubt but after Stu net came out uh basically there were questions of would 99 and this the document series here the actually have been able to handle Stu net and so we actually set up a task group to go through our our standard generally at the time the only official standard that had anything going on was the um the security program document so they went through that as their starting point and said in the security program document what were there gaps that would have

allowed stuck net to propagate or were there or there stuff that uh or the recommendations that we could use to actually fill un plug those holes so they actually found 20 or 35 gaps in the uh standard they identified them and then they came up with actually 33 recommended improvements on those to try and uh that we've now actually are in the process of trying to uh um add into our revision to the security program documents so we're trying to roll in all and these are the guys that that gave these recommendations are actually some of the some of the researchers that actually did the research on stuck net originally so we we've got some of the

world class people uh that uh um actually did some of the research to find what stuck net was to do some of the decoding of it to actually go and and mess with the Seaman uh S7 systems and and actually figure out what was really going on um and then another document that's that's been more recent in its uh adding in is U um uh it's a it's a document there was a a log there was a a report from the oil and gas industry called the log Consortium and they actually went through and did uh did a design and they actually went into industrial plants and stuff like that and actually looked at uh what are called Safety instrumented

Systems sis and uh they actually went and analyzed what kind of security uh architectures could be put in place uh and they wrote they wrote a report the logic report uh I think that's available online and they gave that document to us to try and actually work with uh and so we're trying to actually take that document look at the oil and gas stuff and then expand it out to be industry agnostic so looking at their report looking at their conclusions and trying to actually go and generalize it out to be um General industrial automations um kind of ideas and uh try and then once we get that done once we get a tech board there done then incorporating that

material into back into the standard series to see where we can really uh concentrate on Safety and Security since that's a real big issue at this point um some of the fundamental concepts that are sort of uh um baked into the series this this is a real eye chart um yeah you won't be able to read this it'll be in the slides so you can read it there this whole series uh we really have seen these kind of like process kind of stuff there's text stuff stuff and then there's the people stuff um in terms of the process stuff we we've taken the 11 categories from the uh the security program the iso 27,000 series and we kind of put them along

with this process making sure you're doing your process correctly your Tech stuff so this is we've actually expanded on uh the CIA confidential integrity and um availability to to actually roll it out to seven things that are really important for industrial systems and I I'll go into more of them in a minute and then there's people stuff so making sure your people actually understand the need for having a training program and the need for uh uh it's motivation versus Defiance so there's a lot of times where people will do everything in their possible like bag of tricks to avoid getting it involved or avoid getting uh the maintenance people involved uh the guys uh I I worked in

the manufacturing industry for quite a long and the robotics guys and they had handheld uh units that they would have to like hold on to to make sure that the robot would do its stuff otherwise a big eock would come in the robot would stop moving and and um the operator had to basically U um restart the whole system it was a safety thing it was meant to actually keep people from being like knocked over by the robot accidentally um but the problem is all the guys figured out that if you wrapped duct tape around it or wrapped electral tape around it they didn't have to hold it anymore well then the robotics industry Association came out and said no you

actually have to hold it with a certain amount of force so you couldn't just let go of it you couldn't grab it real tight so they but then people started developing carpal tunnel because they had to hold on to something and they couldn't just grab it real tight so then they had to figure out all sorts of stuff like that and the guys kind of figured out well if they wrapped the electrical Cape or if they shoved a uh if they wedged the cardboard in there and then wrapped it with electrical tape it worked for them people figure out ways around the system all the time he trying to create Terminators yeah but the idea of safety has really gotten

baked into a lot of the Industrial Systems especially the chemical ples and so they actually have a lot of times they'll have a sign of so and so number of days since our last safety incid and what we want to do is get to the point where Safety and Security are on the same board so and so number of days between uh before or since our last security inter we would love to see that don't think it'll happen but we would love to see that kind of mentality towards security and and so there's other stuff that sort of people solving solving uh the general overall people kind of things relationships between it and and what's called it and OT op uh

information tech and and operations technology so there those those kind of things so the what we call foundational requirements this is the easiest sort of stuff to start with uh when you're getting into our uh standard this is actually where you get into the tech stuff and this is this is taking CIA and expanding upon it to really fill out what's needed for Industrial Systems so the top two really constitute what is normally called Access Control when you when we actually start looking into the standard and it was like there were 40 or 50 uh different requirements that baked into access control and it it just got to be too much to handle so we we

decided to break it down into the identifying who this person is and then assigning them to a role but not actually telling saying anything about what the role was able to do and then assigning roles and what responsibilities relate to those roles so this is that's where we've got the identification and authentication so here this person is I'm I'm Joe and I'm allow and I am a system integrator okay so that means I'm identified and I'm I'm I got my little sign on me says system integrator now what is a system integrator allowed to do in Dupont facility number such and such uh in this location and that is assigned separately and that's what we call use

control so this this really gets into the uh um authorization piece this is this is the standard authentic authentic authorization the next one down a lot of times in the IT world this is just data Integrity now we're talking system Integrity so making sure the the whole system does what it's supposed to do and does it when it's supposed to so making sure that the PLC does its job the safety system does its job making sure that they don't receive bad information but also making sure the overall system doesn't do things it's not supposed to do um data confidentiality that one's that one's a direct translation from uh the IT world uh but again uh data

confidentiality has a slightly different meaning this is not just being able to do encryption on everything this is uh it it's it involves some more things um restrict in data flows this is now getting into doing Network design properly getting into architecting your system so that this these devices that really aren't designed to handle a lot of extra background traffic a lot of extra extraneous kind of stuff on the network they they weren't designed with uh ethernet and high-speed networks in mind they were designed with dedicated 24volt signals going back and forth or they were designed with RS 232 at most 192 lines going back and forth they were not designed to handle all this extra

stuff uh they were not designed to do encryption uh there's some of the some of the stuff that we deal with they've got a third a 300 B modem between two sides out to a uh a water pumping facility and you're not going to do large scale block encryption on a 300 B Moto so how do you do that kind of stuff how do you do that Network segmentation how do you start looking at doing this uh breaking systems down and protecting doing that Network zone model kind of stuff in in a real situation timely response to events this is okay once you know that something did happen what do you do with it how do you

actually uh make sure that the system that bubbles up to a point where somebody can actually do something with it how do you actually trip your IDs systems to know that something's going on how do you actually teach the operators to notice when things seem a little wonky some's just not quite feeling right these guys deal with these systems day in and day out they know when something just doesn't feel right being able to say from a policy level being able to say that they're not going to get uh they're not going to get reprimanded because they stopped the manufacturing line because something didn't seem right with how the robot was working or something didn't re seem

right how the Miller was working or or the chemical the burner system or things like that something just didn't seem right these guys know these systems there they work in the system sometimes for 20 years 30 years straight they know them really well they know and be able to bubble that up and then availability this is this is more than strictly just system availability uh um or our device level availability this is actually a system level availability making sure that you can actually still run even if bits and pieces of your system start to fail making sure that the critical systems that absolutely have to run no matter what 247 99's reliability work when they absolutely have

to so is that in relation to coup to their cons operations or is it a separate yes uh it all depends uh some of it it's like there there are some systems that are Regulatory and um some of the of the EPA regulation on some of the chemical plants and things like that those systems have to run no matter what because if not they receive like million dollar a day kind of fines and stuff like that so making sure those kind of systems run regardless of what happens to the plant things like that um so I mentioned earlier about security levels we've taken um a sort of threat direction for our security levels it's trying to defend

against a casual or coincidental violation so this is not leaving the recipe to Coke out on the desk where anyone walking by can see it not having the sticky note with the username and password for the HMI or for the PLC or for um well there was a there was a really famous picture of um a submarine that had the Fire Control System and had the password on a sticky note that was right there on the screen it's like what were you thinking and and this was like it was a publicity shot that they had come through and was published on the internet with the Fire Control System passwords and username so this is that's that kind of

stuff solving the stupid human tricks I mentioned it before stupid human tricks are are uh are level one generally this is policy and procedure level stuff there's some tech stuff in there not putting uh not putting uh unencrypted Wireless on your system uh when you're trying to do control and things like that uh so there there's some little things that you can do at a tech stuff at at a level one but generally a lot of this is going to be policy and procedure level solving stupid gri the next level down is where you really get into some of the sort of like script Kitty level the stuff that's out there um I since I've been doing reliability

and performance testing for a while one of the things we generally did is is just download like the the uh um the free version of nessus and go and run that against devices and you would be amazed at some of the things you find ping of Doom which has been solved and patched and fixed for 15 or 20 years that's still insistent because people bought their TCP Stacks way back when didn't bother to buy the source code so they could fix it or didn't bother to buy a site license or or renew their licenses to fix stuff over the time just Engineers it works they're not going to do anything with it it gets the job done so they're not

going to fix it well that that's what happens and so a lot of this level stuff is is figuring out what we call Simple means with low resources generic skills and low motivation so this is not really dealing with someone trying to intentionally well this is intentional but it's not going to be the uh um it's not going to be the situation where somebody's actually trying to come through and and do a dedicated hack on your system this is a um this is an IT virus that just happens to get into your system because someone took the uh the USB key from their PC on their desktop and brought it out to the HMI on the

nuclear power facility that kind of stuff um so generally these going to be sort of It kind of like viruses or it kind of situations that end up affecting you at the system level or the industrial LEL down here in three and four these are intentional taxs uh and they they deal with people that actually have knowledge of your system to some degree maybe it's somebody that knows what a PLC is knows what the ethanoic PE protocol or the modbus protocol or Pro protocol are they actually have used these systems maybe they've played around they know a little bit about how an industrial plant works maybe they know some maybe they've got another guy that's working with them that actually

is a chemical engineer that actually knows that you put chlorine in this place and you put sodium in this place and you put uh uh eth metal death over here and you've got uh stuff going on so that's your in uh Insider element and your cor and after generally yeah this is this is where you've got to have some knowledge of the system it may not be Insider knowledge of your particular plant or it could be it this could be the discon employee that knows all the passwords knows where all the bodies are buried and things like that um and then that's here this one is where you're dealing with generally someone that's extremely motivated to try and screw with your

system so this may be the state actor it everyone talks about a and stuff like that this is that kind of situation this is this is the stucks net level attack not that everything at level four will fix stuck net but this is that kind of Dooku flame stuck net the whether or not you believe it the US going against itself and things like that um this is uh this is this level of attack where you've got someone that's highly motivated to screw with you and you're trying to defend against it so this is this is a lot of times active directed uh defense mechanisms that are working 24/7 regardless of what's going on um so I I mentioned a couple times

zoning and conduits this is trying to actually wrap your systems in well-known sort of like groupings um it's there is a relationship between Network architecture actual Hardware Network architecture and zones zones are actually meant to be security requirement wrappers but a lot of times it's easier to just start going start with that wrapper model and then work that down into actual like Network architecture model so a lot of times these actually uh relate directly to how a system is architected so to get to this safety system from the internet you got to go through the Enterprise go through the plant EMZ go through the what's called basic process control system and then get down into the

security uh the safety system um and not just solve the tech stuff of doing that but also having a a higher level of um policy and procedure level stuff for this level as well so you don't take the USB key that you used up in the it system to transfer files down into here you have to go from a policy and procedure level you've got to go through and actually from the Enterprise L you load it onto a server in the DMZ then the server on the DMZ is where you actually pull file from files from to get to here you don't you don't start loading things these these systems can't be touched in a lot of cases so you got

to like work with the system and try and actually um really work with the uh the restrictions that are in place from a policy procedure level from a tech level and design things properly uh in systems uh another example is a manufacturing example so this is uh you've got robot cell one robot cell two and maybe there's uh the part has to go from one to two but this guy doesn't talk directly to this guy he goes through some sort of intermediate step so that the the data can be uh sort of like washed and cleaned and make sure it's it's not doing anything it's not supposed to in the process um so that's that's my talk um

here's more information we always encourage more people to join us and help out you don't have to be industrial people we're we're we have um a large number of researchers involved in in the work too um we're always interested and hearing different people's opinions um we have a Wiki site it's a SharePoint Wiki so if you hate SharePoint just uh live with it um and we we have a Twitter it's used occasionally it's probably less than once a week but uh we post up meeting notices we post up uh um when we've got uh general information things like that um Eric Cosman works for D chemical um you can get either of us our staff contact person and uh please feel

free to to give us any suggestions um oh one of the things is on the on the uh Wiki we actually have posted draft copies of all the current versions of our standard so if you want to read up what we've got and give us comments feel free please do we encourage the more people to give us comments then uh then we can so the majority of us seems to be targeted towards the system owners to be able to help provide metrics and controls for their own existing systems of cents uh having been as a operational security pres in the past when you put out an RFP uh you request that the vendors when they come to the table do

have C secur controls and mechanisms is there any um uh working group with like the Seamans and the rest of the manufacturers of these uh uh systems to include those features yeah absolutely that's going to be down at these two levels so uh as I said this is actually 853 sort of modified and moved around to be um system level industrial stuff and so this has got a lot of this has a lot of tech stuff in it gets down into what you would need to include in a system um and and this is the level of what we call the system integrator role uh this is it may be uh an end user that has an

Engineering Group inside it that does some system integration before they put things into real uh into production it may be a Sy a dedicated system integrator uh that that ends up being like a first or second tier supplier to an end user or it may be an end user that's trying to roll a bunch of stuff together to create a system like a um seens that goes and bumps put a firewall in front of their PLC or their their uh DCS system and bundles it together and calls it uh a a uh a new product but effectively they're creating a system level thing uh and and doing so they have to take into account those kind of

requirements and then down at this level yeah it's it's dealing with what does Seamans have to bake into their product what does Rockwell have to bake into their plcs what does um The Cisco have to bake into their switches from like auditing exactly all that kind of Stu so this this this is where we're going to try and deal with all those B all the people that come out and say I found vulnerability such and such and it's CBE this and that and this is where we're trying to deal with all that kind of level stuff so but you are working with like the manufacturers of these systems yeah out of that 200 200 plus companies I would say um

there's probably a good 30 or 40 that are just vendors okay and it's it's every if you can name a vendor in the industrial space we pretty much have them cool so do you anticipate that vendors will get on board with this very much like they have with the federal government policies and start presenting overtime products that are you know certifiable or in compliance with certifiable is a good word when you talk about the government I work for 20 years at the government so I understand that um but yes that and I didn't mention it here there is actually an Isa security compliance Institute that's trying to actually come up with a brand Isa secure

to go along with that uh that's one group that's doing it there's another group that's doing what's called uh um the WB and that's a a World Tech and those guys and they've got another Achilles a series of tests that they can certify things to the bronze silver and gold there are people doing compliance and certification groups uh but again it's uh I I didn't want to get into that it's it's a that's a different world and there's actually some infighting that's going on and it's a big pain so you first is this more of a recommendation set of documents or is there certifications WRA around a lot of this and I can't really exactly which is

where okay these are these are stand functional standards some other group would have to say you must work uh but what actually what we really are expecting is that end users would actually put these in their rfps that they would actually say You must if you want to provide work if you want to work with us you've got to be a PLC manufacturer that is security level 3 to like three certifi cied and they go out and buy a product and they can put it in their rfps this is not that certification exist as I said Isa secure is trying to do it and World Tech's trying to do it and their their group's trying to do it

but it's not there yet so um question for medical devices there is a um manufacturer disclosure statement for medical devices um are you familiar with those I I I know of medical devices have some um of control that they have um is not certified or certifiable but uh you got of provide some guidelines I mean how do you see that in in these framework we haven't had a lot of input from the medical device Community only recently did they even start being considered uh Industrial Systems a lot of them still kind of have their their blinders on and don't think they're industrial yet uh but they're small dedicated individual boxes uh that have critical uh components to them and and

they can easily be consumed by part of this work um we haven't really paid too much attention to them but basically um they could take from our catalog controls uh we the DHS has its catalog controls uh the nista has its catalog controls we've tried to work with both of them in fact there there's a mapping of how we relate to the nerk sip at least version three uh the sp800 Rev 3 and we've got some uh some people as well involved in the DHS catalog controls we've done some comparison to those things we haven't messed around with all the other industries that are looking at stuff just because we we don't have anybody that's really involved in that that

group yet um we would love to we would love to hear about it and love to see some somebody do that we just we don't have enough uh people to really do

more other questions thank you very much [Applause]