Yokogawa has established the basic policy and measures criteria for the security control of products. By implementing them in product development processes, Yokogawa is striving to eliminate vulnerabilities from products and improve security. We define a system lifecycle to be the entire period from product development to system introduction and operation.
Customers Challenges
Plant and control systems are targeted by malicious cyber-attackers.
- Malicious attackers are starting to focus on plant and control systems.
- Cyber-attacks on control systems are increasing.
- Customers want to introduce more secure control system products.
Our Solutions
Yokogawa provides secure control system products.
- Yokogawa provides secure control system products that allow customers to operate their plants without undue concern, by introducing a secure development lifecycle, obtaining security certifications, and more.
Customer Benefits
Customers can build a more secure control system by using our secure control system products.
- A defense-in-depth strategy makes control system products more secure.
- As a result, customers can build a more secure control system.
Enabling Technology
Effects of providing secure control system products
- Introduce the Secure Development Lifecycle (SDLC).
- Obtain various security certifications.
- Built-in security
- By working with security software vendors, Yokogawa provides security software for its system products.
- Product Security Incident Response Team (PSIRT)
- Yokogawa Security Advisory Report (YSAR)
Details
Secure Development Life Cycle (SDLC)
The SDLC is Yokogawa’s process for developing secure system products in accordance with IEC 62443-4-1. Its purpose is to develop products that do not contain vulnerabilities. The SDLC consists of six phases. We develop secure products by minimizing vulnerabilities in the outputs of each phase and identifying vulnerabilities early in the development phase.
Yokogawa has obtained various security certifications.
- ISASecure Certification
- Wurldtech Achilles Communications Certification
ISASecure® Certification
To assure customers of the high reliability of its products, Yokogawa obtained ISASecure certificates.
ISASecure SDLA certification
The ISASecure SDLA is a security certification program for Control System Development Process. This certification was granted based on an examination that ascertained the organization is in compliance with the ISA/IEC 62443-4-1 standard and certain other requirements.
Name of development process |
Organization | Certificate (Standard) |
Date |
---|---|---|---|
Secure Development Life Cycle (SDLC) |
Yokogawa Engineering Asia Pte. Ltd 5 Bedok South Road, Singapore |
ISASecure SDLA Version 3.0.0 (ISA/IEC 62443-4-1:2018) |
March 31, 2021 |
Secure Development Life Cycle (SDLC) |
Yokogawa Electric Corporation Musashino, Tokyo Japan |
ISASecure SDLA Version 3.0.0 (ISA/IEC 62443-4-1: 2018) |
Dec 20, 2022 |
ISASecure CSA Certification and EDSA certification
ISASecure CSA and EDSA are security certification programs for components. The ISASecure CSA certification program was launched in August 2019, replacing the ISASecure EDSA certification program. It complies with the International Electrotechnical Commission’s IEC 62443-4-2 and IEC 62443-4-1 international standards for security in control devices.
Type | Model | Version |
Certificate |
Date |
|
---|---|---|---|---|---|
DCS Controller | CENTUM VP | R6.09 | 2022-1-7 | ||
DCS Controller | CENTUM VP | R6.01.00 | EDSA 2010.1 Level 1 |
2015-08-07 |
|
DCS Controller | CENTUM VP | R5.03.00 | EDSA 2010.1 Level 1 |
2014-07-14 |
|
Safety Control System | ProSafe-RS Lite | R4.06 | CSA 1.0.0 Level 1 | 2021-07-05 | |
Safety Control System | ProSafe-RS | R4.05.00 | CSA 1.0.0 Level 1 |
2021-05-13 |
|
Safety Control System | ProSafe-RS | R4.01.00 | EDSA 2010.1 Level 1 |
2016-07-26 |
|
Safety Control System | ProSafe-RS | R3.02.10 | EDSA 2010.1 Level 1 |
2013-12-24 |
Wurldtech Achilles Communications Certification
To assure customers of the high reliability of its products, Yokogawa obtained the Achilles Communications Certification, which is a security certificate for embedded devices found in critical infrastructure; it ensures end-point security of controllers.
The Achilles Communications Certification is security certificate for embedded devices found in critical infrastructure.
The Achilles Communications Certification ensures the end-point security of the controllers.
CENTUM VP Controller AFV10D
Achilles Level 1 Certification
March 2012
ProSafe-RS Safety Controller SSC60D
Achilles Level 1 Certification
March 2011
CENTUM CS 3000 Controller AFV10D
Achilles Level 1 Certification
February 2007
CENTUM CS 3000 Vnet Router AVR10D
Achilles Level 1 Certification
February 2007
ProSafe-RS Safety Controller SSC50D
Achilles Level 1 Certification
February 2007
Stardom FCJ Controller NFJT100
Achilles Level 1 Certification
February 2007
Security of Vnet/IP
The Vnet/IP used in Yokogawa’s production control systems and safety instrumented systems is a control network based on Ethernet technology.
- Authentication: Countermeasure against spoofing and falsification
Vnet/IP uses a key exchange method that ensures secure continuous communication even during periodic key updating processes.
In Vnet/IP, IP addresses are assigned to all ports of the controllers constituting a redundant system, and key exchanges are constantly performed with each port independently, making it possible to restart communication immediately after switchover of the controller or communication channel. - Discarding packets: Countermeasure against DoS attack on the controller
The controller is equipped with two CPUs: one for control and the other for communication, so that the load on the communication layer does not affect the control processing. Unnecessary packets are discarded at the lower levels of the communication layer to reduce the load. If one of the duplexed channels receives more packets than predetermined amounts, communication through its channel is stopped for a certain time and is continued through another channel instead.
IT Security Tool
The Windows OS has various functions, but those not used for control system products can be disabled to block vulnerabilities in those functions. In addition, the proper setting of OS security functions can harden the system without affecting system operation. It is possible to set them on the tools provided by the OS without using a dedicated tool. However, the required items are wide-ranging and the procedure is often complicated, easily causing setting errors.
Yokogawa’s IT security tool provides automatic security setting of the OS, thus reducing setting errors and other human errors and eliminating vulnerabilities caused by these errors.
Yokogawa is an OEM alliance partner of McAfee.
The combination of McAfee and Yokogawa provides security software for Yokogawa’s control system products.
This security software works exceedingly well with Yokogawa’s Endpoint Security Service.
Standard Antivirus Software for Endpoint Security
Standard Antivirus Software for Endpoint Security (the Standard AV Software) uses the antivirus method for Yokogawa's control system products.
When combined with Yokogawa's Endpoint Security Service, the Standard AV Software has the following features in addition to the functions of general antivirus software.
- Optimized configuration
Yokogawa provides an optimized configuration of the Standard AV Software in combination with Yokogawa’s system product software. - Confirmation of Stable Operating Conditions of Yokogawa’s IA Control System
The HMIs and servers of IA control systems require real-time response and stable throughput for operator manipulations or data acquisition requests from supervisory systems. However, antivirus software may influence the performance of PCs and servers due to their characteristics.
In addition, newly released virus definition files may cause normal software to be falsely detected as malware (false-positive) and such false-positives may affect the operation of the control system.
So, Yokogawa confirms the Standard AV Software and newly released virus definition files and engine in combination with its control system products to ensure that no false-positive occurs, and also verifies the operation of its control system products.
Standard Whitelisting Software for Endpoint Security
Standard Whitelisting Software for Endpoint Security (Standard WL Software) adopts malware inactivation measures for Yokogawa’s control system products.
The Standard WL Software has the following features in addition to the functions of general whitelisting software when combined with Yokogawa’s Endpoint Security Service.
- Optimized configuration
Yokogawa provides an optimized configuration of the Standard WL Software in combination with Yokogawa’s system product software.
Yokogawa Product Security Incident Response Team (PSIRT)
Yokogawa PSIRT provides Yokogawa Product Vulnerability Support.
As a focal point, Yokogawa PSIRT leads and manages vulnerability information of Yokogawa’s products together with Yokogawa’s internal and external organizations.
- Publishing security vulnerability reports
Yokogawa PSIRT publishes security vulnerability reports of Yokogawa’s products through security advisories which contains affected products, measures and relevant information. -
Obtaining information on suspected security vulnerabilities
Yokogawa PSIRT obtains information on suspected security vulnerabilities from vulnerability information reporters such as security researchers and customers.
Resources
YSAR-16-0001: Vnet/IP network switches reveal administrator password in SNMP community string
YSAR-15-0003: Vulnerability of communication functions in CENTUM and other Yokogawa products
YSAR-15-0002: SNMPv3 authentication bypass vulnerability in Vnet/IP network switch
YSAR-15-0001: Buffer overflow vulnerability in YOKOGAWA HART Device DTM
YSAR-14-0005E: SSLv3 protocol vulnerability of decrypting the encrypted data in YOKOGAWA products
YSAR-14-0004E: XML External Entity (XXE) processing Vulnerability in FAST/TOOLS
YSAR-14-0003E: Arbitrary File Read/Write Vulnerability in CENTUM series and Exaopc
YSAR-14-0001E: Vulnerabilities in CENTUM and other Yokogawa products
YSAR-16-0002: Arbitrary command execution vulnerability in STARDOM
Downloads
Looking for more information on our people, technology and solutions?
Contact Us