Editor's Note: This is an updated version of this article, which was first published the Tofino Security Blog on June 14, 2011.
Honeywell and the ISA Security Compliance Institute last week announced that two more Honeywell products, the Experion® C300 DCS controller and the Experion fieldbus interface module (FIM) joined the Honeywell Safety Manager in achieving its pioneering ISASecure Level 1 certification. Following this announcement Dale Peterson questioned the value of some aspects of ISASecure certification.
Here is why I believe, as I did in June 2011, that ISASecure certification is valuable.
Obtaining ISASecure Level I certification is significantly more difficult than passing a Communications Robustness Test (CRT) like Achilles Level I (or II or III). ISASecure certification is based on a security validation process that is an order of magnitude more rigorous. It indicates a far higher level of security in both the product and its intended use.
For ICS and SCADA equipment end users, understanding the difference is important. It may mean the difference between buying a product riddled with vulnerabilities and buying a product that was designed to be secure.
Mount Sharp on Mars, as captured by the Curiosity rover on Aug 23, 2012. A difficult but successful engineering challenge. Source: NASA/JPL-Caltech/MSSS
In a CRT, the device under test is sent a variety of malformed network messages to see if it can correctly handle possible bad traffic that an attacker might throw at it. If it ignores the bad messages, it passes the CRT. If it crashes or acts in an unpredictable manner, it fails the CRT.
Now this is a useful test because many industrial controllers cannot survive even the simplest malformed message. For example, one of the 2011 Siemens S7-1200 vulnerabilities was the result of the PLC’s embedded web server crashing when it gets a bad packet. This in turn causes the PLC’s CPU to fault, resulting in a Denial of Service (DoS) attack from a single message.
Unfortunately, a robustness test won’t find security problems like the hard-coded SQL passwords that figured so prominently in Stuxnet. Nor will it discover bad design practices, such as embedding passwords in the products (issues faced by RuggedCom a few months ago) or sending them across the network in clear text (a problem with many PLCs). And it certainly isn’t going to tell you if the control product’s engineering team used secure coding practices when they wrote the software.
Even where robustness testing has potential, it can miss problems because there is no test for a specific protocol. For example, Achilles Level I would not have detected the Siemens S7-1200 web server bug, because it does not send malformed HTTP messages in its tests. So while useful, passing a robustness test is a very small part of good ICS/SCADA security.
This is where the ISASecure program comes in. It starts with a CRT assessment phase similar to Achilles Level I (it actually uses the Achilles tool), but then it adds two more assessment phases:
These assessments are where real progress in ICS and SCADA security will be found, because they consider the underlying design, development practices and vendor recommended deployment of the product, rather than just whether it stands up to some bad traffic.
For example, the tests determine if the product allows the user to correctly manage passwords (FSA-AC-2.1.1) or whether the development team has created and managed a Threat Model (requirement SDSA-SRA-3) during the design process. Tests like this are likely to uncover a large range of security issues, or even better, ensure that companies follow processes that stop vulnerabilities from being created in the first place.
Bill Goble of exida, the company that conducted the certification testing, presents Erik de Groot of Honeywell Process Solutions with the first ISASecure Certificate. Source: Honeywell Process Solutions
Don’t get me wrong – ISASecure certification is no guarantee of perfect product security, any more than having a medical certificate guarantees a doctor is top notch. But Achilles Level I CRT is like being admitted to med school – important, but only one step on the way.
ISASecure certification is like the credential that confirms the doctor has passed all the med school exams, survived the hands-on trials of residency and is now approved to practice medicine. Frankly I would prefer to trust my life to the latter, even if the former might be cheaper. The same applies to control systems.
Now Dale Peterson makes some good points in his comments on the limitations of ISASecure Level I. He’s right that it is a “positive trait”, not a guarantee of a product’s security. However, I am glad to see that we are now at the point of talking about more education and better communication of ISASecure’s various levels, rather than where we before, with no independent auditing of a device’s security capabilities.
If we want secure control systems, end users need to start demanding that any system they purchase is ISASecure certified. To accept less is to continue to accept flawed systems that hackers will attack with ease.
© Tofino Security 2012 | All Rights Reserved | Tofino Security is part of Hirschmann, a Belden Brand