ISA announced yesterday that the Honeywell Process Solution’s Experion DCS controller and Experion Field Integration Module (FIM) have achieved ISASecure Embedded Device Security Assurance certification. This is good news that the ISASecure certification is getting some traction, and that embedded devices are being tested by independent third parties.
Here’s the problem. A reasonable person would expect that an ISASecure certified embedded device would have basic security functionality — and he would be wrong!
ISASecure has three levels of certification, and the Honeywell devices were certified to Level 1, a fact that is left out of the press release but is noted on the ISASecure certified products page. The Functional Security Assessment part of the ISASecure certification does not require any data integrity measures (FSA-D1), with one exception, until Level 2. So an owner/operator buying an ISASecure certified device will still be in a situation where anyone with logical access to the PLC/RTU/controller can stop or modify the process.
The one exception is for loading firmware. FSA-DI-2.1.1 Disable Unused Ports makes special note that the port used for firmware updates must be capable of being disabled if there is not access control on this port. Nice note to address the Boreas vulnerability, but it doesn’t appear to stop rogue ladder logic upload allowed to be unprotected in the point-to-point communication. And it certainly does not require any protection for write, stop, reboot or any other process affecting commands.
A owner/operator purchasing a ISASecure Level 1 Certified PLC is still in the situation that network access allows control of the process because the PLC is insecure by design.
The main benefit of buying a device with the ISASecure Embedded Device Security Assurance Level 1 certification is the communication robustness testing of the protocol stack. ISASecure has worked with Wurldtech and integrated a set of Achilles tests that the PLC/RTU/controller is required to survive to achieve Level 1. Given the sorry state of many PLC protocol stacks this is a worthwhile testing and certification, and owner/operators should consider Level 1 certification as a positive trait.
ISASecure Level 1 Certification essentially protects an embedded device from spurious data on the network. This could be a network scan by IT, a new device on the network or a new application. It does not protect an embedded device from an attacker who has gained logical access to the device.
Recommendations for clarity from ISASecure:
- Include the certification level in all materials
- Require all vendor mentions of the ISASecure certification to include the certification level
- Develop marketing materials that highlight the differences between the certification levels
- Have a paragraph that goes in any press release related to the type of assurance the certification level provides
- Move the educational effort on ISASecure forward to focus on the different certification levels
There is a third leg to the ISASecure Embedded Device Security Assurance certification, in addition to Functional Security and Communication Robustness. All products must pass the Software Development Security Assessment. The Software Development Security requirements for Level 1 are more rigorous than the Functional Security requirements. However there is also a lot more room for judgement on the pass/fail of these items, and it’s unclear how each requirement is evaluated. For example, there are a number of requirements for a threat model that could be met with a trivial effort or taken seriously.