How Successful Is Your Standard?
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
Thomas Burke , longtime President of the OPC Foundation, had the best answer to this question in a podcast interview with Walker Reynolds .
Success is measured by the level of adoption. That's the key, when you go do anything with industry standards they've got to be worth more than the paper their printed on.
Tom and the OPC Foundation succeeded wildly by this measure with OPC DA, aka OPC Classic. Almost every product over the past two decades has an OPC classic interface. OPC became the universal translator between disparate ICS for a huge percentage of asset owners. Massive adoption.
OPC UA is a behemoth set of standards documents. Thousands of pages covering a wide range of capabilities. It's huge compared to OPC Classic. How successful is OPC UA? Walker Reynolds said,
I spent over $100,000 on, we basically itemized the entire specification ... and then we went out and tried to find products for each function in the complete UA specification ... only about 20% of the OPC specification, the full UA specification, has been adopted.
To be fair, that 20% that is implemented is looking like it will be highly successful, and the 80% is looking like it won't be successful by the adoption measure. Rather than pushing for adoption of that 80%, the OPC Foundation is adding even more capabilities.
How do ICS security standards rate on this adoption as success measure?
The NERC CIP standards would rate high based on adoption. This isn't really fair since it's a regulation. Adoption is mandatory for bulk electric systems meeting a threshold criteria, and many utilities tried to keep their systems below that threshold.
领英推荐
IEC 62443 looks a lot more like OPC UA. 62443 has numerous long standards and technical reports ... and adoption for most of it is small.
OPC UA and 62443 isn't an apples to apples comparison. Short of the ISASecure certifications for specific parts of the standard, it is hard to determine if 62443 is adopted. Being mentioned as a guiding principle isn't adoption.
Perhaps the percentage of a sector that is ISASecure certified is the best measure of adoption. ISASecure currently has posted certified vendors to three standards (listed in order of adoption).
IEC 62443-4-1 Certified Development Organizations (does your SDL meet the standard)
These are vendor certifications. ISASecure is working on an asset owner Site Assessment Program that would test adoption of parts of four different 62443 standards. This will be a tough sell unless there is some clear value such as being accepted as evidence of meeting a regulatory requirement or playing some role in insurance underwriting.
If you agree with Tom Burke that adoption is the measure of success for a standard, then OPC UA, 62443 and any other standards group should prioritize activities that will grow adoption over further extending the standard family.
Chief Software Architect at Sparhawk Software
3 个月The metric of how many products implement 100% of the specification is extremely misleading. For example, with OPC Classic many features were never implemented by most products yet you just said it was 'wildly successful'. This metric was invented by people with a desire to undermine OPC UA and not helpful to people interested in understanding how much the standard is actually used. What matters is how many people are providing and/or using OPC UA. Whether they are using it as a better OPC DA or whether they are using the full set of information models they are still using OPC UA and more importantly, still implementing the OPC UA security model. OPC UA was the first OT standard to provide an implementable security model that makes it possible for OT user to deploy real zero trust solutions. OPC UA does this by defining requirements which are focused on security configuration and management instead of leaving such questions as problem for each OT user to figure out. Solutions using these security features are provided by vendors Rockwell Automation, Siemens, Beckhoff Honeywell and many others.