Mu Security Cranks Up the MUSIC
Certification program for process operations security revealed at Knoxville event

Aug 31, 2007

Mu Security, a pioneer in the security analyzer market, has announced new Mu Security Industrial Control (MUSIC) certification programs. MUSIC certification enables process operations to verify a diverse range of network equipment and application protocols to meet industry-defined best practices for security, robustness and resiliency testing. Certification benchmarking ensures that plant and product safety is not compromised by hidden implementation flaws in industrial control systems.

Mu is offering MUSIC Foundation- and Advanced-level certifications based upon the specified protocol coverage of the product under review. Both certification levels are validated by Mu Security or select authorized partners. The certification was demonstrated and presented August 13-16 at the ACS - Cyber Security Conference in Knoxville, Tenn.

The MUSIC program leverages the Mu-4000 Security Analyzer appliance and its integrated intelligent fuzzing engine and remediation documentation suite. MUSIC certification adds proven security analysis to product developers’ existing quality and safety assurance process to provide an important alternative to current, more labor-intensive certification efforts. Process control customers using Mu-4000 on-site today include oil refineries, large manufacturing sites, nuclear power plants, chemical processing sites and other high-risk management facilities, such as gas pipelines and electric power distribution plants.

MUSIC certification offers two levels to meet the unique infrastructure and application needs of both users and their diverse product suppliers. The Foundation-level certification details network infrastructure protocol analysis: ARP, DHCP, IEEE 802.1p/Q, IP, TCP, TFTP and UDP. Advanced-level certification focuses on application protocol analysis for DNP3, FTP, HTTP, LLDP, MMS, MODBUS/TCP, SNMP and Telnet. Digitally signed test reports for products under analysis are generated automatically by the Mu-4000 appliance and are professionally verified by an authorized partner or Mu Security Labs. Product vendors are then awarded Foundation- or Advanced-level certification, provided no relevant implementation flaws are uncovered during test and analysis.

To ensure the most comprehensive product analysis, more than 50 protocols are available in the Mu-4000 system to identify security vulnerabilities and robustness/resiliency issues resulting from protocol implementation flaws. The Mu-4000 system also provides a continuously expanding suite of published vulnerabilities for validating signature-based security systems, as well as the integrated capability of driving any existing command-line scripts for automated compliance or product acceptance testing.

“MUSIC certification is an essential benchmark process that applies metrics to all the worst-case scenarios of invalid protocol state, structure and semantics for all control system and networked security devices such as firewalls, gateways and IPS,” said Kishore Seshadri, VP Product Management at Mu Security. “The underlying protocols that carry Internet traffic are validated by the MUSIC Foundation-level certification program. Our MUSIC Advanced-level certification process tests the resiliency of application protocols often used at process control and critical infrastructure sites.”

All certification program testing can be conducted using internal on-site staff or by Mu-authorized partners. Testing results are then verified by authorized partner labs or by Mu Security. All MUSIC program options provide an open transition to industrial control systems’ security specifications currently under development by federal and industry groups, including ISA Security Compliance Institute (ISCI) and ISA SP99 groups.

Both ISCI and ISA SP99 are addressing the safety, security and robustness of systems that, if compromised, could result in compromised safety, loss of public confidence, violation of regulatory requirements, loss of proprietary or confidential information, potentially substantial economic loss or threats to national security.

Adam Stein, Mu’s vice president of marketing said that most of Mu’s work is based on open standards and that Mu would conform to the canons of the standards-making process for ISA SP99.

 “Security is a not a specific product, it’s an ongoing process,” adds Kevin Staggs, engineering fellow and global security architect at Honeywell Process Solutions. “Mu Security is helping the industry by creating a repeatable and metrics-based process that maps to current standard tracks including the ISA SP99 draft standard.”

 An podcast interview with Kevin Staggs is available in the Process Automation Media Network Library on www.controlglobal.com. Click here to watch it.