Industrial Control

Last week, I was an invited as a guest presenter to the EFC’s IoT group meeting in Toronto, Canada. During this meeting, I presented our current view on state of standards and regulations that will impact many markets globally but with a focus for vendors who service the NA market for electrical and critical infrastructures.

With pending Bill C-26 and it’s current requirements it will have a potential negative impact to SMBs who are not servicing this sector. Our guidance is component and product vendors must start assessing both cybersecurity and privacy risks in their business not just a once but on-going basis and ensure they create auditable outcomes for these activities (full stop). Governments globally are clearly going this route and if you want to sell into many jurisdictions you will need to demonstrate how you meet these requirements.

By far the easiest way to do this is by implementing a governance framework (there are many, just chose one!). Likewise, you need a SDLC, again just implement one for your business if your a product vendor. Last but not lease, think about how you will demonstrate you meet these requirements. I would highly recommend you loot at the CSA Groups T-200 which has been adopted in both Canada and US as a means for certification.

Here are the links I have included in my presentation:

a. US Executive Order for Cyber Security

b. Report the US President on Improving the Nations Cybersecurity

c. Canada announcement on Secure by Design Approaches

d. Bill C-26

e. NASA Details of Detecting Fraud in Supply Chain

My Presentation:

ElectroFederation – IoT:OT Standards and Regulations

 

A short history

This project started from a request back in 2016 from national energy provider company wanting to ensure that the IoT based devices they were recommending to clients were safe for use and could not be weaponized. This came to be as their in-house legal team we getting nervous hearing about all the device compromises on a daily basis.

This organization was known to the CSA Group standards teams and the reach out happened in the Fall of 2016 in a former site of CSA in Seattle suburb near Redmond. This meeting focused on the current nature of standardization and the complete lack of certification that looked at both the companies and the products they created from a maturity perspective. Hence the concept of the T200 was born and I was fortunate to be part of that discussion and in the develop of the T200.

Now happens next is bit strange for standards developers, specifically when creating new standards you do that market scan, determine weaknesses, etc. In essense a study period to better understand the market. However, CSA with our help decided to build a cyber assessment program. Yep, that is what we did and tried it a few times to better understand the overall impact to the vendor (regardless of size) and their ability to meet a baseline. This was a challenge and was not easy, it resulted in a lot more grey hairs. However, after 18 months of developing a process and validating it with vendors on both sides of the border, we had something. Not a small something but a concept that was field tested and ready for prime time!

Now based on this and with support of the folks at our energy company and CSA, a NOI (Notice of Intent) was filed with Standards Council of Canada. It was met with some challenges by other SDOs that other “certifications” existed and this was not required. However, I was called up from pinch hit for the CSA on this as I wrote the seed document used for the NOI filing. My position on my argument was easy. There is no certification scheme that considers a company and the products they create from maturity model perspective. Needless to say, CSA was granted the project and we began our work in earnest to build our committee.

I will not get into all the trials in tribulations for a standards development process as it long, boring, and I don’t need to make this blog any longer than it needs to be ;). We assembled a mix of expert in both Canada and the US and developed the core content and 200+ controls that would be included in the initial version. This included adding a last minute supplement to meet the specific needs of the energy sector for both NERC and FERC compliance. It was tough and we got it done and published in May of 2022.

T200 Foundations

Here is what is contained in the standard, and why it is a game changer:

  • It starts with a vendor self -assessment, then initial Maturity Level is assigned.
  • Next up an audit verification of the self-assessment claims, then Maturity Level is updated to reflect any issues identified.
  • Finally a penetration test for the primary solution of the vendor including all components (device, cloud, apps). The final overall Maturity Level is assigned to the organization.

Are are some of the details on this approach.

  1. Maturity Levels:
    • Level One – Global baseline controls for a device
    • Level Two – Low security maturity for cyber risk and safety related solutions
    • Level Three – Midrange security level for cyber risk and safety related solutions
    • Level Four – Highest security maturity level for cyber risk and safety related solutions
  2. Six Domains of Coverage
    • Governance – Practices that organize, manage, and measure software security initatives within an organization
    • Intelligence – Practices that result in corporate knowledge used in carrying out software security activities
    • Software Development Lifecycle – Practices associated with analysis and assurance of particular software development artifacts and processes
    • Deployment – Practices that work together with traditional network security and software maintenance organizations
    • General – Practices related to an organizations approach to cyber security and data protection
    • IoT Solution – Practices considered during the development of IoT products/solutions
  3. Eighteen Practice Areas (these align to the Domains)
    • Governance – Strategies and Metrics, Compliance and Policy, and Training
    • Intelligence – Attack Models, Security Features and Design, Standards and Requirements
    • Software Development Lifecycle – Architecture Analysis, Code Review, and Security Testing
    • Deployment – Penetration Testing, Software Environment, Configuration Management and Vulnerability Management
    • General – Asset Management, Trustworthiness, and Security Operations
    • IoT Solution – Security by Design, Data Protection, and Security Feature Set
  4. The Entire Process for T200 Certification (this will depend on the lab conducting the evaluation)
    • Complete a NDA or similar
    • Complete a self-assessment questionnaire
    • Submit the self-assessment questionnaire for evaluation and grading
    • Audit of vendor
    • Audit Findings report
    • Testing and evaluation (product/service)
    • Testing and evaluation report
    • Attestation label filed for product/solution

This process makes it easy for vendors to undergo the evaluation but at the same time it allows any organization to chose the target Maturity Level for a vendor to target.

What has been identified is the ability to meet requirements for supply chain and third party providers for any sector and it aligns to the ISO/IEC standards for IoT Baseline and Security/Privacy, the NIST IoT baseline, ETSI 303 645, and UK regulatory requirements. Harmonization was a key aspect of this project and ensuring we were tracking too and preventing fragmentation was key to our success. Security is not a one and done process but an ongoing lifecycle. You either buy into this approach or you don’t. It is only way to ensure the changing landscape of cyber risks are being identified and mitigated.

Here is a link to the standard: CAN/CSA T200

 

 

Yesterday, we officially launched CSA P125 Technical Committee on  Operational Technology Functional Safety and Security. This group is compromised of experts who represent organizations in multiple sectors and from both Canada and the United States. Our mandate is primary ensure that both international and regional standards of interest are adopted in both countries.

As our standards will be published under Standards Council of Canada (SCC) and American National Standards Institute (ANSI) they will recognized in both of these markets. As we look forward to providing both vendors and organizations options for selecting and implementing standards and certification options that will reflect a commitment to secure products and solutions by these vendors.

As the co-Chair to this group, I am very fortunate to be in such great company and expertise. As the editor of T200, I am humbled by the expertise we will have available to make our standard reflective of industry needs and requirements. I am looking forward to building relationships with the new members in the years ahead.

As with all new journeys, this one is even more special due to many of the critical aspects of the technologies we are dealing with. Getting to discuss so many new use cases and sectors it the best part of the job. There are so many cool projects and technologies that the layman just never sees but ensuring that many aspects of society continue to operate normally. This group is going to be there to set the bar for security in OT technology.

//Faud