HIMA SECURITY STRATEGY

Today, industrial plants are more at risk than ever before. Just a few years ago it was enough for plants to be functionally safe. However, the reality of today presents new challenges for facilities: plants now have to be protected against cyber attacks.HIMA offers high quality safety products for industrial automation. As security is a prerequisite for functional safety HIMA also sets a strong focus on security in its organization, products, solutions and services. It is not feasible to foresee all use cases (and misuse) of generic products. HIMA therefore assumes that not all vulnerabilities can be detected during the secure development process. The goal is to achieve and to maintain a high level of security and robustness of HIMA products and solutions. To ensure this, it is essential to establish a lively exchange with the security community – mainly customers, integrators and end users – but also security scientists, hackers etc.

WHAT IS PSIRT?

HIMA PSIRT is a central, interdisciplinary team at HIMA Paul Hildebrandt, managing potential security vulnerabilities in HIMA products and solutions. 
The team consists of security and product specialists. HIMA is grateful for all feedback on potential flaws, weak points or vulnerabilities forwarded to our specialists. The PSIRT investigates, offers mitigating measures and workarounds and, if possible, fixes vulnerabilities in a reasonable time coordinated with the relevant functional safety implications. 
HIMA PSIRT coordinates and maintains communication with everyone involved, both in-house and externally, so that it can implement an appropriate response to any security related issues identified

Why should one report vulnerabilities? We would like to explicitly encourage everyone, not just HIMA customers, to give feedback on all HIMA products and solutions. All data and especially all personal data will be handled strictly confidential without the need of a nondisclosure-agreement. Reporting vulnerabilities enables Vendors to fix these vulnerabilities and inform customers about mitigation measures, workarounds and fixes. This approach helps HIMA to improve the robustness and reliability of HIMA products and solutions. And most important HIMA customers are enabled to manage security risks.

How can one report vulnerabilities? We beg everyone to report any security related vulnerability of HIMA product or solution. The more comprehensive, precise and detailed the information is PSIRT receives the more efficient the further steps can be executed. (please also see “Suggested Content”) HIMA offers 4 ways to contact:

  1. Standard Support support@hima.com
  2. E-mail to psirt@hima.com / Public Key
  3. Indirect via our Partner CERT@VDE: https://cert.vde.com/helper/reportvuln/
  4. Whistlerblower System (anonymous)

Preferred languages are English and German.

Who will receive the report?
HIMA ensures that the report is available to the necessary specialists to fix the described problem. And only to this HIMA employees. No external people will be able to access the report.
HIMA ensures that the reporting party's contact information is kept private unless the reporting party specifically requests that the contact information is disclosed.

What will be done with the report?
HIMA PSIRT is a central, interdisciplinary team at HIMA Paul Hildebrandt. HIMA PSIRT will review the impact and relevance of the reported vulnerability on HIMA products and solutions.  

How long will it take until HIMA will react?
The reception of a reported vulnerability will be typically confirmed within 2 workday. 

How long will it take until the issue is solved?
HIMA has the special situation that the safety and security development process with industrial requirements have to be synchronized. Typically the timeline for mitigation measures or fixes is therefore longer than in other sectors. Therefore we have to beg for patience. If whished HIMA will keep close contact with the reporting party.
Since lots of HIMA components and systems are provided as parts of critical equipment, HIMA begs the reporting party to coordinate the disclosure of information. This is to avoid the disclosure until appropriate mitigation measures, workarounds or a real fixes are available.

How does the public get informed on the result?
In the case of a Critical or High rated vulnerability a CVE will be requested and security advisories will be published on our partner platform CERT@VDE. Medium and Low criticality will be published with the next product version in the release-note.
Customers can either register for an RSS/Atom feed or can directly look for HIMA products and solutions (https://cert.vde.com/de/advisories/vendor/hima/) 
In extreme cases (e.g. functional safety is endangered) the affected customers will be contacted directly as far as possible and as soon as possible.
We will always weigh if and when we report a vulnerability (responsible disclosure). In very rare cases HIMA might also comment vulnerabilities that do not affect HIMA products and solutions.

What is in the advisory?
An advisory reflects the relevant facts and history of the vulnerability. 

Here is a guideline for valuable information (all information is voluntary)  

  • Personal contact (Name, Organization, E-mail, Telephone, Country)
  • Description of the Vulnerability (effect, how to reproduce, logfiles, pcap, CWE-ID, CVE-ID if available)
  • Name of the affected product (HIMax (CPU, COM, IO), HIMatrix, HIQuad, OPC-UA, SILworX…)
  • Software Version of the affected product
  • Serial number of the affected product
  • Additional Comments
  • Disclosure (Do you plans to disclose, or is the vulnerability already disclosed
  • Can or should we contact you?

Why should one report vulnerabilities? We would like to explicitly encourage everyone, not just HIMA customers, to give feedback on all HIMA products and solutions. All data and especially all personal data will be handled strictly confidential without the need of a nondisclosure-agreement. Reporting vulnerabilities enables Vendors to fix these vulnerabilities and inform customers about mitigation measures, workarounds and fixes. This approach helps HIMA to improve the robustness and reliability of HIMA products and solutions. And most important HIMA customers are enabled to manage security risks.

How can one report vulnerabilities? We beg everyone to report any security related vulnerability of HIMA product or solution. The more comprehensive, precise and detailed the information is PSIRT receives the more efficient the further steps can be executed. (please also see “Suggested Content”) HIMA offers 4 ways to contact:

  1. Standard Support support@hima.com
  2. E-mail to psirt@hima.com / Public Key
  3. Indirect via our Partner CERT@VDE: https://cert.vde.com/helper/reportvuln/
  4. Whistlerblower System (anonymous)

Preferred languages are English and German.

Who will receive the report?
HIMA ensures that the report is available to the necessary specialists to fix the described problem. And only to this HIMA employees. No external people will be able to access the report.
HIMA ensures that the reporting party's contact information is kept private unless the reporting party specifically requests that the contact information is disclosed.

What will be done with the report?
HIMA PSIRT is a central, interdisciplinary team at HIMA Paul Hildebrandt. HIMA PSIRT will review the impact and relevance of the reported vulnerability on HIMA products and solutions.  

How long will it take until HIMA will react?
The reception of a reported vulnerability will be typically confirmed within 2 workday. 

How long will it take until the issue is solved?
HIMA has the special situation that the safety and security development process with industrial requirements have to be synchronized. Typically the timeline for mitigation measures or fixes is therefore longer than in other sectors. Therefore we have to beg for patience. If whished HIMA will keep close contact with the reporting party.
Since lots of HIMA components and systems are provided as parts of critical equipment, HIMA begs the reporting party to coordinate the disclosure of information. This is to avoid the disclosure until appropriate mitigation measures, workarounds or a real fixes are available.

How does the public get informed on the result?
In the case of a Critical or High rated vulnerability a CVE will be requested and security advisories will be published on our partner platform CERT@VDE. Medium and Low criticality will be published with the next product version in the release-note.
Customers can either register for an RSS/Atom feed or can directly look for HIMA products and solutions (https://cert.vde.com/de/advisories/vendor/hima/) 
In extreme cases (e.g. functional safety is endangered) the affected customers will be contacted directly as far as possible and as soon as possible.
We will always weigh if and when we report a vulnerability (responsible disclosure). In very rare cases HIMA might also comment vulnerabilities that do not affect HIMA products and solutions.

What is in the advisory?
An advisory reflects the relevant facts and history of the vulnerability. 

Here is a guideline for valuable information (all information is voluntary)  

  • Personal contact (Name, Organization, E-mail, Telephone, Country)
  • Description of the Vulnerability (effect, how to reproduce, logfiles, pcap, CWE-ID, CVE-ID if available)
  • Name of the affected product (HIMax (CPU, COM, IO), HIMatrix, HIQuad, OPC-UA, SILworX…)
  • Software Version of the affected product
  • Serial number of the affected product
  • Additional Comments
  • Disclosure (Do you plans to disclose, or is the vulnerability already disclosed
  • Can or should we contact you?
BENEFITS

Rely on Cybersecurity from HIMA for Your Safety-Critical System

  • HIMA_Zertifiziert
    Standards-Compliant
    With cybersecurity solutions from HIMA you meet the requirements of IEC 62443.
  • HIMA_Physisch_getrennt
    Separate
    Security systems and process control systems are independent of each other and are therefore secure.
  • HIMA_Skalierbar
    Versatile
    The solutions can be used in a wide variety of applications.
  • HIMA_Offen
    Independent
    HIMA safety systems use their own operating system.
3 levels for reliable cybersecurity

IT security from HIMA offers protection on three levels: hardware, operating systems and networks, and engineering.

Your HIMA Contact

Cybersecurity
HIMA_Phone
+ 49 (0) 6202 709 0

The requirements imposed on IT security are in a constant state of flux. Consequently, our cybersecurity experts are on the cutting edge of developments and know precisely how cybersecurity and functional safety must interact.