Rockwell Automation – The Unsung Heroes of Industrial Security: Researchers
September 18, 2019
By Megan Samford
When a vulnerability exists in an industrial control system, it’s vital that the good guys discover it first.
That’s why we’re grateful for the work done by the largely unheralded heroes of cybersecurity – researchers.
These folks work diligently to uncover industrial security vulnerabilities. When they do so before the bad guys and alert companies like ours, so we can fix them, they help prevent what could be major security incidents.
At Rockwell Automation, we embrace researchers. We actively work with them as part of our standards-aligned vulnerability handling and coordinated disclosure process. And we make a point to give credit where credit is due by showing them our appreciation.
Testing the System
Outside researchers test industrial control products the same way an adversary does: they look for flaws in systems and communications protocols and try to work their way in.
If a researcher finds a vulnerability in our products, they can notify our Product Security Incident Response Team (PSIRT). We’ll then work with them to identify and resolve a validated vulnerability.
When we disclose the finding in a security advisory, we recognize the researcher who found it as a sign of our thanks. We also send the researcher a personal communication to reiterate our appreciation. It’s a simple token of thanks – but for us an important one. And often, the gratitude goes both ways.
For example, Jacob Baines, a principal research engineer with Tenable, Inc., recently worked with us on a security disclosure. He relayed the following:
“Rockwell Automation PSIRT is one of the most professional security groups I’ve disclosed vulnerabilities to. In my experience, Rockwell Automation responds quickly to disclosure-related emails, and they’ve always taken timelines very seriously, to help ensure the ecosystem is secure.
“Furthermore, whether it be the developer’s progress or planned publication dates, Rockwell Automation does a great job of sharing information. This is key to effective coordinated disclosure. They even share their advisory text in advance. In my mind, the Rockwell Automation PSIRT is a great example of how vendors should work with researchers on coordinated disclosures.”
Making Proactive Security a Priority
Getting ahead of threats is central to what we do in our industrial security work at Rockwell Automation. Working with outside researchers is one way we do that. We also have our own researchers who aggressively test our products to look for flaws. And we take other steps to be proactive.
For example, our Allen-Bradley ControlLogix 5580 controller is the world’s first controller to be certified compliant with IEC 62443-4-2, today’s most robust control system security standard. We also certified our Rockwell Automation Security Development Lifecycle (SDL) to the IEC 62443-4-1 standard.
For us, industrial security isn’t just about securing our products and services. It’s about helping the companies we work with protect their people, productivity and intellectual property.
You can learn more about our industrial security strategy, services and solutions here.