Achilles at Achillion Palace, Corfu

photo © 2006 Elizabeth Ellis | more info (via: Wylio)
Wurldtech issued a press release yesterday announcing Sensus, a company that offers AMI solutions, had achieved the Achilles Practice Certification (APC). The APC is an Achilles certification based on the WIB Security Requirements for Vendors that covers the security development lifecycle.

The fact that a smart grid vendor has had their security development lifecycle assessed by a qualified third party, Wurldtech, is clearly a good thing. There is a likely a detailed report discussing the important categories that were assessed and the results that prospective customers considering Sensus can now consider in their purchase. It would be a good thing if Digital Bond, Industrial Defender, Lofty Perch, Byres … did such an assessment and provided such a report.

The outstanding question is what does the ‘certification’ mean? It is based on the WIB Security Requirements for Vendors document. We reviewed Version 1 of this document, which was very much like a first draft, the greatly improved second draft, and a spreadsheet WIB provided that provided some details on how requirements would be tested. It didn’t appear that the program was ready for certification testing, and I have been hearing that the WIB documents have been undergoing substantial, and positive, revisions.

The press release itself clouds the issue of what the APC means:

Sensus is the first Advanced Metering Infrastructure (AMI) company to achieve overall cyber security certification after an eight-month collaborative effort with industrial testing and certification firm, Wurldtech Security Technologies. Sensus has achieved the Wurldtech Achilles Practices Certification (APC), a security best practices benchmark, in addition to the Achilles Communication Certification previously awarded for the Sensus FlexNet™ AMI communications system. The Wurldtech Achilles Certifications are based on standards set by the International Instrumentation Users Association (WIB).

Nowhere does it mention that the APC is recognized by WIB. We couldn’t find anything on the WIB site about the Sensus certification or APC, although Wurldtech is listed as a certification body in the requirements document, which we previously pointed out was very odd. Nate Kube of Wurldtech confirmed to me via email that this is a WIB certification recognized by WIB, but clarity from WIB is needed. After all, WIB should be proud that the first certification to their spec has been issued if that is the case.

The other troubling part of that paragraph is, “after an eight-month collaborative effort with industrial testing and certification firm”. Do we want our certification firms in a collaborative effort with the vendors they are certifying? This could just be an issue with a poor choice of wording, but it has an consulting/audit/Enron feel to it.

If the APC is a Wurldtech certification based on a WIB document then it is a vendor arbitrarily creating a certification. Loyal blog readers will remember that we were involved in helping Wurldtech design the Achilles Certification that covered robustness testing of protocol stacks. In fact, it had a bigger challenge than APC in some ways because it did not have a document like WIB provided to base the testing off of. However the Achilles certification was based on a set of technical tests that could be run consistently, unlike an evaluation of a SDL which requires some judgement. Which is another reason why word the ‘collaborative’ is concerning. If you read the past post on the certification process, a large number of the evidence requirements were “Vendor senior manager warrant certifying …”.

Again, just to be clear, this APC certificate Sensus received is a good thing for potential Sensus customers, especially if they can see the report. The question is what does the APC mean beyond a qualified security vendor working with a ICS vendor on their SDL?

One of the mantra’s of the WIB presentations is the need for speed. The community can’t afford to wait years for standards to be developed and effective. They have a point and have accomplished a lot in a short time, but the need for speed does not equate to the need for secrecy about the documents, requirements, certification process, …

So here is my call or challenges to WIB, Wurldtech, Shell and others involved in the standard. If there are certifications completed and underway, then the documents defining the certification process and certification criteria for each requirement must be done. There is no need to keep them hidden anymore; publish the documents. Also, make it clear who the WIB certification bodies are and what requirements WIB places on the certification bodies for the testing. Address the potential conflict of interest of a certification testing company also helping build a vendor’s security program. Finally, make it clear if Sensus is deemed to be certified by WIB to the Security Requirements for Vendors.

PS – I still would like to have a WIB rep on the podcast to discuss the document and these questions.