Wurldtech recently certified Schneider Electric as a Communication Certifier. It took me a bit to wade through what this really means. Schneider is now authorized to run the Wurldtech Achilles device against Schneider’s own systems, and give their own devices a pass/fail based on the results.
It seems a conflict of interest to have the vendors certifying their own products. I’m going to be quite skeptical of Schneider-blessed Achilles certification on Schneider equipment, if only because Schneider has all the motivation in the world to sweep bugs under the rug. Siemens, too, as they were also certified a few months ago as a Communication Certifier.
While it may sound far-fetched at first, it could happen. Vendors like Schneider and Siemens haven’t been entirely honest on security in the past. This is why I think that Wurldtech ought to only certify independent labs to perform the certification, even if the certification is simply plugging in a few wires and pushing a button.
It is worth mentioning that Communication Certification is pretty lame, in my opinion. I mentioned this at the Smart Grid Security Working Group some months ago. Communication Certification is just basic fuzzing, and not particularly thorough at that. It makes no attempt to demonstrate unauthenticated administrative-level privileges, nor to analyze normal comms. Proprietary protocols, even quasi-proprietary protocols such as the Modbus “Unity” protocol used by Schneider, won’t get a thorough shake from Achilles. So long as the PLC under test keeps its sine-wave output going during test, the device passes. The chances of a Modbus/TCP fuzzer hitting FC90, and filling in the session identifier, and initiating the ladder logic file transfer correctly, is as close to zero as makes no odds. Those are the conditions that would be required to fail the Modicon/Unity Ethernet controller, and I doubt Schneider will go so far as to add that test to the Achilles system.
If all the minimum number of changes needed to certify all of the Basecamp systems were made, the results would actually look pretty much like they are now. Schneider, GE, and Allen-Bradley would still have rogue ladder logic upload and gaping backdoors. Since the ladder logic upload and backdoors are so much easier to exploit in a meaningful way than a buffer or integer overflow uncovered during fuzzing, I would consider all three hypothetically patched/Achilles certified devices to be in the same shape that they are now. Koyo fixed their device a bit better and is pretty OK at this point, and SEL didn’t have much trouble to begin with.
I’d much rather see someone focus on Common Criteria protection profiles for automation devices. While CC is far from perfect, it provides a more transparent evaluation process — and products are evaluated by an independent lab. Achilles certification is for now a marketing tool, not a real metric of security or even reliability.
Image by Peter Pearson