Digital Bond is a small, I like to say boutique, SCADA security research and consulting practice. We try to focus on projects that will have a significant and near term positive impact on the SCADA security community. I believe we have a pretty good track record with our SCADA IDS signatures, Nessus plugins, S4 and vulnerability disclosure and a few others on the way to proving their merit such as the SCADA Honeynet. Of course, we do not bat 1000 as seen in our PCSRF Protection Profiles which were complete and interesting, but low impact, or our SCADA data dictionary which has only been used by Project LOGIIC to date.
Next week at PCSF we will help launch another project that we believe will have a huge positive impact: Achilles Controller Certification. You probably have heard about Achilles over the years from briefings by Eric Byres. The research effort has matured into a rigorous test product with quantifiable coverage in the 3rd generation now offered by Wurldtech. Numerous controllers have been “Achilles tested”. This has meant different things at different times and was primarily aimed at providing the vendor with information to fix product security flaws.
Achilles Certification consists of well-defined, repeatable test suites containing literally millions of test cases in a structured process that evaluates the security and robustness of a controller’s network stack. At PCSF the test suites and procedures for the various initial certifications will be revealed as well as the timetable for certified controllers. Hint: Achilles Certified Controllers are months not years away.
I’m sure there are a lot of questions about this Certification. Those of you attending the PCSF in Atlanta next week should attend the Wednesday, March 7 Achilles presentation from 10AM – noon. I will blog in some detail on the structure and timetable of the certification next week as well as provide some thoughts on where this certification fits in with all of the other ongoing standards efforts in various groups.
Digital Bond’s role in this project is to provide third party insight to key issues such as the structure and test case families for certification levels, determining how and what certification information should be presented to the public, evaluating what additional certifications are required, and increasing awareness and adoption of the certification. We do not perform the certification test nor do we see any results except for those made available to the general public.
This is a project we can enthusiastically adopt because we believe product security certification, especially for difficult to evaluate items like network stacks, will meet our huge positive security impact goal. However, just to be clear and provide full disclosure, Digital Bond is being paid for this work. We will put the disclaimer “Wurldtech is a Digital Bond Partner” on all Achilles Certification posts.