PLC Security

Back in June, Honeywell’s Safety Manager was the first product to achieve ISASecure’s Embedded Device Security Assurance (EDSA) certification. It was certified to meet Level 1, the basic level. Level 1 is a significant accomplishment most PLC’s and other controllers would not meet.

Yesterday Exida announced the RTP 3000 SIS controller achieved ISASecure EDSA Level 2 certification. Nice job ISASecure, Exida and RTP.

We covered the three components of the EDSA certification in an earlier podcast. Here are some examples of the additional rigor required in Level 2 that is not required for Level 1 certification.

Functional Security Assessment Requirements

  • Role Based Access Control
  • Least Privilege Default Access
  • Local and Remote Session Locking Timeouts
  • Protection against packet insertion, replay, out-of-sequence, …

Software Development Security Assurance Requirements

  • Configuration Management System Evidence
  • Interface Descriptions
  • Complete Data Security Policy (what roles can access what data and perform what functions)
  • Code review with completed security checklists as defined for medium level
  • Justification of all code running as Local System or Administrator

Communications Robustness Testing Requirements There did not appear to be any additional robustness testing for Level 2.

It’s great to be able to write about some positive news in the ICS security world.

ISASecure still is in stealth mode regarding the certification. There have been no press releases since February of this year. No announcement of the Honeywell or RTP certifications. No page on the website with a list of all the EDSA certified products. I can’t imagine any reason why ISASecure or the certified vendors would not want publicity.