A major difference in ICS vendor’s security strategies is how much effort they are putting on security throughout the product lifecycle, or their Security Development Lifecycle (SDL). Put another way, how secure is their own code from common programming mistakes that lead to exploitable vulnerabilities.
Microsoft popularized the SDL after having security issues with worms early in the previous decade. Some vendors have highly leveraged Microsoft and others experience to integrate threat modeling, security requirements, fuzz testing, third party assessments and a variety of other security development procedures into the product development process.
Others have done very little to add security into the development process.
We have had a very good window on this with our work on the Bandolier Security Audit Files. We have worked with many companies’ lead engineers and security experts as part of the Bandolier development process. Look at the list of vendors with Bandolier Security Audit Files, including ABB, AREVA, Emerson, Matrikon, OSIsoft, SISCO, SNC, Telvent, Toshiba, … with more in process. NDA’s and courtesy prevent us from calling out the good, and some are doing great things, from the bad, but this is an important area for owner/operators to pursue with vendors and potential vendors.
So you should be asking your vendors about their development process. What are the elements in their security development lifecycle? Can you see their threat models? Fuzz testing and other security QA testing results? How security is integrated into the requirements? What are there secure coding standards? How are there engineers trained on those standards and how to they insure those standards are met?
You do not need to be a security expert or even review these documents in great detail. A couple of hours of interview and inspection is plenty. It often is as simple as can the vendor show you the SDL and its results from a project? It is an easy answer and item to provide if there was an SDL and it was followed. If it is not there is a lot of hemming and hawing and struggle to create documentation after the fact.