I was first encouraged and then disappointed to read the press release announcing Honeywell’s Experion C300 Controller had achieved Achilles Level 1 Certification.
I was pleased to see another vendor stepping up to get their controller protocol stack tested. Controller protocol stack crashes are still a serious problem with many falling over with simple fuzz testing or even legitimate, but unexpected packets. It is hard to tell when critical mass will be reached and this type of testing, by Wurldtech, Mu or someone else, becomes a requirement.
Disappointment set in after digging into the certification page and seeing at the very bottom of the certification page the following note: “Tested with Honeywell’s CF9 Firewall. The CF9‘s hardware version is CC-PCF901 and its firmware version is AA.”
Kudos to Wurldtech for including this note, and this does provide an asset owner with a solution to harden a vulnerable protocol stack. Isn’t that the logical assumption if certification required a firewall to block most of the testing packets from reaching the controller?
Rotten tomatoes to Wurldtech for not including a mention of the firewall anywhere in the press release. Is Honeywell allowed to say that the C300 is Achilles certified? Hopefully not. They should be required to say the C300 with the CF9 firewall is Achilles certified. Certification bodies need to be precise and guard against false or even just misleading claims of certification.
Full Disclosure: Wurldtech is a Digital Bond client, and I was personally involved in helping define the Achilles Level 1 Certification.