Inductive Automation Certified to Two New Standards for Company-Wide Secure Software Development Lifecycle

Each major version of Ignition is built for long-term use, but that does not mean development stops after the initial release. A consistent train of updates deliver frequent improvements to stability, security, quality, and privacy, including a commitment to proactively seek and resolve vulnerabilities.

Inductive Automation acknowledges the shared responsibility needed for customers to be successful with security requirements. Software vulnerabilities or bugs introduce risk to end user environments, which can include safety and harm to people with industrial control systems. A Secure Software Development Lifecycle (SDLC) takes the approach of integrating security processes throughout the lifecycle of Ignition from design, implementation, testing, operation in production environments, to decommissioning. This improves overall quality, reduces security risks, helps with customer confidence, and supports compliance requirements.

The Inductive Automation company-wide Secure Software Development Lifecycle (SDLC) was recently assessed by Exida to meet the requirements of ISASecure Security Development Lifecycle Assurance (SDLA) 3.0.0 and IEC/ANSI/ISA-62443-4-1-2018 Secure Product Development Lifecycle requirements.

This represents a significant milestone of Inductive Automation’s (IA) ongoing campaign to continuously improve the security and quality of Ignition. The Security and Trust Portal provides a “look behind the curtain.” Customers want to know how we protect the build environment, what kinds of automatic and manual testing we perform, how we decrease supply-chain risk by providing timely software updates and managing our third-party libraries, which could be your “transitive risk,” and consistently demonstrate other aspects of process maturity for developing secure software.

IA goes above and beyond in many ways. IA volunteers Ignition as an ICS Pwn2Own Miami target each year, hires regular third-party application penetration tests, and looks to external sources like NIST and follows industry guidance. We host a public demo and act on vast amounts of customer feedback including cybersecurity assessments, security researcher findings, and scan results.

We take security seriously and wanted to let the Ignition community know that we invest in proactive measures to assure their Ignition environments are protected. This has not been a “check the box” process. Each requirement is considered in the context of customer needs.

This process has already resulted in an improvement to governance structure, and positively impacted Ignition and the SDLC from planning, testing, implementation, and documentation, to customer notification.

What is IEC/ISA 62443?

IEC 62443 is a set of standards maintained by the ISA99 committee on security for Industrial Automation and Control Systems (IACS). The standards form a comprehensive framework with a shared responsibility model. Broadly speaking, Part 1 establishes terminology and requirements, Part 2 lists Asset Owner (customer) responsibilities, Part 3 covers Integration (e.g. System Integrator), and Part 4 covers product developers, hardware, and software. In this model, Asset Owners are responsible for policies and procedures, training, and physical security. System Integrators are responsible for system design, choosing appropriate technologies, configuration, and integration with risk assessment. Product Suppliers are responsible for securely designing, implementing, testing, documenting, and maintaining products.

IEC 62443 is arguably the most standardized approach to Operational Technology (OT) security, along with the wide body of publications released by the US National Institute of Standards and Technology (NIST).

IEC 62443 allows Asset Owners to understand, manage, and communicate risk associated with their IACS. It provides guidance on standards for other stakeholders including product selection and integration.

What IEC/ISA 62443 is Not

Applying the IEC 62443 set of standards is most applicable in non-regulated industries. Asset Owners in regulated industries are likely to follow regulations and best practices within their respective verticals. However, all are likely to appreciate secure practices associated with certification.

In the United States, electrical power generation and distribution is regulated by the North American Electric Reliability Corporation (NERC) to Critical Infrastructure Protection (CIP) standards. Food and drugs are regulated by the Food and Drug Administration (FDA). The Transportation Security Administration (TSA) regulates air and ground travel including trucking, rail, and oil pipelines. Many other critical infrastructure sectors are similarly regulated.

As a software supplier, cybersecurity investment in our Secure Software Development Lifecycle with 62443-4-1 has paid off. These efforts enable us to help customers positively address NERC CIP-013 (Supply Chain Risk Management) concerns, pass a recent pharmaceutical GxP audit, and address concerns with TSA guidance to pipeline owner/operators. IEC 62443 provides a solid base with requirement areas, where we can then build to satisfy customer requirements.

What’s Next with Security

Maintaining top-of-the-line security requires continual improvement. It is a constant balance to juggle the removal of technical debt while fully supporting legacy systems, fixing third-party vulnerabilities as they are announced, offering new security features, and raising the minimum bar with increased Secure-by-Default and Secure-by-Design paradigms.

Inductive Automation continues to invest in people, processes, and technologies to improve customer security and integration capabilities. This includes technical guides, training resources, and interoperability. Inductive Automation closely follows existing standards and industry best practices from Cybersecurity and Infrastructure Security Agency (CISA), NIST, and other organizations providing security leadership and guidance.