My previous blog on Version 2 of the WIB Security Requirement for Vendors reads a bit like a security assessment report. While it highlights some positives, most of the details are on the deficiencies. To be clear, it is one of the better documents in this space and something we will recommend to our owner/operator clients to use to tell vendors what they expect.
Now in this blog I’ll focus on the WIB Certification Process because the goal of the effort is for WIB to provide industry certification of a Vendor’s Security Program. Here are the short pro and con cases for the approach WIB has taken with this effort:
Pro Case – Shell wanted vendors to meet a minimum set of technical and administrative security controls in the vendor development and delivery of control systems. They worked with Wurldtech to structure a document and program to do this, with WIB as the vehicle. Shell and Wurldtech then generously donated the work and results to WIB so it would benefit the whole community and encourage more vendors to go through the process. [I’m sure some others on WIB have contributed, but Shell and Wurldtech have made this happen] The approach was selected to make something happen faster than a typical standard or certification process.
Con Case – This is a company and customer creating a private certification standard, akin to what Wurldtech did with the Achilles standard, that is purporting to be something else. The initial certification entity, Wurldtech, was selected without any open consideration for other entities. There is no criteria that a certifying entity must meet and maintain, either for Wurldtech or anyone else who wants to certify vendors to this document. The decision was arbitrary without any published criteria or independent review. There are also questions about what process and requirements there were to getting the Security Requirements for Vendors document written and approved — note from the last post that were items in the document that would not survive most organization, eg ISA, API, NIST, etc, rules. Positioning this as a peer reviewed and independent effort is misleading.
Next Question: what does it mean to be WIB certified to bronze, silver or gold level? How does the certifying entity determine if a vendor meets the criteria in the document? WIB graciously provided some information on this including a spreadsheet, warrant example and some info in emails. It is pre-release so I’m allowed to comment on it but not quote it too much or link to it.
A spreadsheet mapped an evidence requirement to each Base Process, which is what a certifying entity would need. However almost all the evidence requirements were “Vendor senior manager warrant certifying …”. So this is largely a paperwork exercise where the vendor documents how they meet the Base Process and provides this in a warrant document to Wurldtech. There is some value to the vendor documentation, but not a lot of value to the certification if it is just paper passing. They could just provide the package of information to the owner/operator.
The key to the value of the certification is the auditing of the evidence, whether it be selective or full. This is envisioned, and may even be happening today as some efforts with vendors are underway. However it is not yet available in a published document and may not exist yet. Right now, from the view of what is published and public, it appears to be unstructured.
Conclusion
Based on the information available today, the WIB Security Requirements for Vendors Version 2 is a quality document that would be helpful to an owner/operator looking for guidance in placing security requirements on their vendor. The certification program is a work in progress and any near term results should be viewed as a private company certification, like Wurldtech’s Achilles certification, rather than an independent certification body accredited to test published standards. This could change in the future if impartial processes were documented and implemented.
FD: Digital Bond has performed work for Wurldtech in the past.