ICONICS Has Its Customers’ Backs Through Continued & Proactive Security Investments

Given today’s climate of possible cybersecurity breaches, it’s understandable that all users of industrial control systems are extremely concerned about the safety and security of their automation software and systems. Any automation software worth its salt needs to have security and safety as an intrinsic part of its design and development, and ICONICS continues to invest and to be proactive in this area. Since it is tough to balance having a fully secure software system while meeting the expectations of ease of use and flexibility for our customers, I thought I'd throw down a blog on how ICONICS' development efforts are helping our customers’ keep their systems safe and secure.

I’ll first explain how we adhere to the latest security protocols by striving for the foremost industrial security development certifications – with IEC 62443-4-1 being our most recent achievement – and then I’ll explain our strategy for phasing out unsupported .NET Core elements in our platform which helps increase security even further. Some of this can be a bit dry and technical – but I promise I've attempted to inject some humor to keep it interesting.

The 62443 Security Standards

IEC 62443 is a series of standards that define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards are comparable to a vehicle’s braking standards. From car to car, braking operates consistently and has enforced stopping distances. These standards are super helpful to everyone on the road. Especially when your mother is a speed demon and suffers from cataracts so can’t really see all that well. But …... she’s still too young for the mandated old age driving tests so continues to drive. With respect to software development, these IEC 62443 standards are a set of best practices when systems are developed for security and provide a means to assess the level of security performance of the processes used by the vendor when products are developed.

The standards in this series include the following:

• Four standards at the general level that apply to terminology, glossary of terms, conformance metrics, use cases, etc.
• Five standards that apply to policies and procedures.
• Three standards that apply to systems.
• Two standards that apply to components.

The two that apply to components, such as the ICONICS software suite, are known as IEC 62443 Parts 4-1 and 4-2 (also labeled IEC 62443-4-1 and IEC 62443-4-2). Wow, that’s a lot of numbers! The last time I saw that many numbers in one sentence was when I was doing my taxes. Anyway, these numbers are the ones most relevant to the automation software products we create and sell. In fact, after much hard work by many team members, ICONICS was recently certified as being compliant with the IEC 62443-4-1 standard which focuses on the requirements for establishing a secure product development lifecycle.

These standards were designed to manage security issues unique to industrial automation environments, control systems (IACS), and operational technology (OT). Additionally, these standards attempt to address data confidentiality, potential dangers due to cyber-attacks, the need for compensating controls, and the consideration for financial loss due to cyber security incidents.

Stay with me – we're going deeper.... but unlike the 1989 sci-fi blockbusterThe Abyssby James Cameron, going deep will not cause any paranoia with aliens appearing.

Changes We’ve Made to Move Toward the 62443-4-1 Security Standards

The interesting part of this certification is that none of ICONICS’ development processes needed to be overhauled to meet the IEC 62443-4-1 certification. The framework required was already in place due to us listening to and working with customers for more than three decades in the market. These processes include:

• A development lifecycle system with change control and audit logging.
• A detailed feature definition of requirements (storyboarding and/or acceptance criteria) which allows better software design, traceability, and quality assurance practices.
• A repeatable testing/verification/validation process.

Now, some might say that ICONICS was already ahead of the security game when compared to its competition. But our team took inspiration from the late Vince Lombardi who said, ‘Perfection is not attainable, but if we chase perfection, we can catch excellence.’ So, following Vince Lombardi's lead, we decided to catch excellence and go for advanced certification by adding further measures:

• Clearer and enhanced responsibilities for security throughout the organization.
• Mandatory security training across the organization with the majority of ICONICS employees being tasked to complete some level of security training (like that offered by Security Journey).
• In our Development team:
  • An even greater awareness and checking for security vulnerabilities in 3rd party components.
  • Tighter integration of security reviews into the design and development process. To facilitate this review, each development engineering work item now includes a ‘security implications’ flag associated with it. If this flag is set, the work item will need to go through a series of reviews including a security design review and a security implementation review. This measure is now built into the ICONICS Team System/Dev Ops based development tools.
• In our Development and Quality Assurance teams:
  • Greater awareness and integration of threat modeling and defense in depth into the design, implementation, and testing of the products.
  • Improved documentation on security best practices.
• In our Quality Assurance team:
  • More testing focused on finding potential security issues.
  • Adoption of the standard practice of creating an automated regression test for every known security vulnerability to help ensure such vulnerabilities are not repeated.
• Enhancements to the work instructions in the Development Engineering Guide.
• Enhancements to the work instructions in the Quality Assurance Guide.
• The establishment of an official documentation procedure and the creation and publication of a new ICONICS document that significantly expandson our existing standards. This document includes additional work instructions and the management of security issues.
• Many improvements to our user documentation related to security including the addition of a new section to the ICONICS’ security whitepaper (Highly Secure HMI SCADA and Automation Systems) on Defense in Depth in automation systems and numerous improvements to the ICONICS Security Best Practices section of the whitepaper.

OK, that is some list of bullets, right? I feel like long bullet lists are like having a lot of babies. As parents, you find them cute and manageable when you have one or two, but more than that can be too much…usually resulting in sleep deprivation and consumption of loads anxiety meds. I get it; nobody wants to read a long bullet list. But in this blog, we wanted to be comprehensive in communicating that we took a lot of actions towards improving our security. And don't worry, we’re not passing all the babies onto you.

So, what does this mean to our customers and the engineering community as a whole? This means we have the proper processes in place to make a more secure product. And we have an ongoing commitment to continuous improvement, so we’re not stopping here.

What’s Next on the ICONICS Security Journey

Some people don’t like sequels because very few continue the story in a terrific way. But one story that has is Star Wars - which has 3 trilogies, many story spinoffs, and an endless story line. So, the best way to describe ICONICS’ security journey is that we’ve got a Star Wars’ level commitment, so we will continue to expand the ICONICS’ security universe. Although, we’ll be different than Star Wars - our Luke Skywalker will never die; Luke will not kiss his sister; and Han shoots first. But regardless of those details, we’re going to make a lot of great trilogies in our security universe. Moving on...

ICONICS has achieved maturity level 2 certification on 62443-4-1 which is defined for the “Managed” level. At this level, ICONICS has shown its capability to manage the development of a product according to written policies and has shown evidence that its personnel who perform the process have the expertise and training and/or follow written procedures to perform secure product design and development. With this achievement, ICONICS is now on the path to achieving maturity level 3 of IEC 62443-4-1 which is defined as the “Defined (Practiced)” level where the processes can be shown to be practiced repeatably across the organization.

But back to our Star Wars security universe, ICONICS is now working towards achieving the IEC 62443-3 System Security Requirement and Security Levels Certification. The IEC 62443-3 certification will show that the ICONICS Suite supports the security related functions defined in the IEC 62443-3-3 standard. 

Another major move and investment toward being a more secure software and system is making changes in the actual source code of the ICONICS Suite, the cornerstone of which is our GENESIS64 SCADA platform. We’ve moved all our modules that use the now unsupported and old .NET Core 3.1 to the supported .NET 6 framework.Let me explain.

.NET 6 Upgrades in ICONICS Version 10.97.2 CFR2 Promote Even Better Security

Now, we’re going to get a little technical here, so grab a coffee or your energy drink of choice and down it before the next section – you’ll need your mind alert and clear.

Word=Go

FOR letter G in word:

Print (Text 1, Text 2, Text 3)

/Text 1 - .NET 6 is currently the long-term support (LTS) framework from Microsoft which is a core base technology that programs and apps are built on. Think of .NET 6 as an ecosystem of features, libraries, and tools that our developers utilize to create features in our software that take care of low-level basic compute functions and that comprise the features in our software that trigger alarms or display a box on screen. We use these are system level components that contain code, so we can stick to adding higher level value to the application vs. investing time into code that tells CPUs how to compute basic functions like mathematics or how to render visuals on the screen that are specific to the 100’s of graphics chipsets that could be in a computing device.

/Text 2 - Older frameworks, like .NET Core, become old and dated, and if not actively managed by vendors like Microsoft, can become increasingly prone to security issues. For example, with time, more security holes can be found and therefore remain in the frameworks because the provider is the only company that releases fixes. But these companies have moved on, so the security problems remain as known vulnerabilities. So, any programs or apps that use old frameworks are at risk for viruses or malicious attacks if they continue to use unsupported frameworks.

/Text 3 - This is not so with the .NET 6 version as it is being constantly maintained with all security issues promptly fixed (for more details, see Microsoft .NET and .NET Core - Microsoft Lifecycle | Microsoft Learn). Since Microsoft has implemented an end of life for .NET Core 3.1, the company will not fix any possible vulnerabilities going forward. Thus, to address this issue, ICONICS has upgraded all its .NET Core 3.1 components to .NET 6 in our recently released Critical Fixes Rollup for version 10.97.2. This upgrade assures customers that we’re leveraging all the benefits of .NET 6 and therefore have closed the .NET Core 3.1 vulnerabilities.

Now for some of you, the last three paragraphs (Text 1, Text 2, Text 3) made zero sense, and you might feel as I do when software developers try to explain pretty much anything related to security to me at a deep level. It’s like a grandparent trying to understand what the teenage slang ‘drip’ means, but when your grandkid says it, you just smile and move on. What you may really want to know is what does this mean for our customers? It doesn’t mean new features, but it does mean the system is more secure by default, and this alignment with the base technology stack ensures ICONICS is providing a more secure future for our customers.

As always, we encourage all customers to plan system-level upgrades, which includes getting to 10.97.2 CFR2 (or a later release) as soon as you can. Although there is no significant security vulnerability we know of now, it’s better to be proactive and consider scheduling regular system security assessments and upgrades. We know it’s difficult and complex because industrial systems just are – but increasing focus on upgrading in the name of security is key to keeping vulnerabilities in any system to a manageable level.

Planned .NET Core Upgrades in ICONICS Version 11 to Realize Greater Security

Now to be clear, the ICONICS Suite with this new Critical Fixes Rollup still uses a blend of .NET 6 and .NET Framework components, both of which are in full support by Microsoft. But given Microsoft’s roadmap to have a single .NET strategy, we are planning to progressively move more of our server-side code from the .NET Framework to the .NET 6 to align with this roadmap. If you want to learn more about this Microsoft strategy – have a look at their blog on it – or better yet, call me. We’ll get a whiteboard going and talk through it. I mean Microsoft’s framework strategy is even more confusing than trying to understand the lyrics in the Beatles song I Am the Walrus...

For ICONICS, this move not only allows us to use the best and most supported Microsoft Framework from a security point of view, but also facilitates the path toward the containerization of our software and provides the possibility of running on different operating systems (including Linux-based OS). However, it’s proving to be no small feat for our developers to move to the .NET 6 framework, so we’ll be doing it in phases in future major releases. We live by the philosophy of doing the hard things, so our customers don’t have to. And I'll quote the late Zig Ziglar here, "There are no traffic jams on the extra mile.” So, if you’ve made it this far in the post, you now know what's available and what is coming. In addition to just upgrading, we’re encouraging our customers, even those who don’t typically like to upgrade their systems, to start planning and defining your engineering processes for more frequent upgrades to keep up with our releases,so their systems to have added security. We know this can be painful in the industrial segment; nonetheless, the tradeoffs are significant given how the software landscape has changed and how security has become one of the major items of focus. I like to remind engineers, especially the ones that just entered the field and even the ones that work for our customers, that we didn't choose to be engineers because it is easy. Engineers are employed to do the hard things that many don’t see. So, keep your systems updated because it’s worth the effort.

Industrial Automation Security - a Bit Like Riding a Horse

If You’re Comfortable While You’re Doing It, You're Probably Doing It Wrong

It is part of our responsibility to do as much as we can to ensure our customers’ systems are safe. We don’t want you to wonder what we are doing, so to ease your concerns and to uphold transparency, I’ve outlined our security work and strategy. Together with our customers and the engineering communities, we are forging ahead by creating software that is increasingly in systems that are connected, and we need to take security into consideration at every step.

As systems become more and more connected, we all will face security challenges that need to be addressed. It’s a bit like riding a horse. If you’re comfortable while you’re doing it, you're probably doing it wrong. That being said, I like hearing about the issues and being challenged, so we can all get better in the end. So please engage with me and let me know your thoughts on this topic.

If you want to know more about the measures ICONICS is taking to safeguard your systems and organizations, you can visit our Security Center or email me at Kyle@ICONICS.COM.