ISASecure Means More Security

Wednesday, August 29, 2012 @ 05:08 PM gHale

Editor’s Note: This is an updated version of a column first published June 14, 2011. This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
Two more Honeywell products, the Experion C300 DCS controller and the Experion fieldbus interface module (FIM) joined the Honeywell Safety Manager in achieving its ISASecure Level 1 certification.

Obtaining ISASecure Level I certification is significantly more difficult than passing a Communications Robustness Test (CRT) like Achilles Level I (or II or III). ISASecure certification is based on a security validation process that is an order of magnitude more rigorous. It indicates a far higher level of security in the product and its intended use.

Flaw in Air Gap Philosophy
ICS, SCADA Myth: Protection by Firewalls
Air Gap Shout Out
Air Gaps a True Myth

For ICS and SCADA equipment end users, understanding the difference is important. It may mean the difference between buying a product riddled with vulnerabilities and buying a product designed to be secure.

In a CRT, the device under test is sent a variety of malformed network messages to see if it can correctly handle possible bad traffic an attacker might throw at it. If it ignores the bad messages, it passes the CRT. If it crashes or acts in an unpredictable manner, it fails the CRT.

This is a useful test because industrial controllers cannot survive even the simplest malformed message. For example, one of the 2011 Siemens S7-1200 vulnerabilities was the result of the PLC’s embedded web server crashing when it gets a bad packet. This in turn causes the PLC’s CPU to fault, resulting in a Denial of Service (DoS) attack from a single message.

Unfortunately, a robustness test won’t find security problems like the hard-coded SQL passwords that figured so prominently in Stuxnet. Nor will it discover bad design practices, such as embedding passwords in the products (issues faced by RuggedCom a few months ago) or sending them across the network in clear text (a problem with many PLCs). And it certainly isn’t going to tell you if the control product’s engineering team used secure coding practices when they wrote the software.

Even where robustness testing has potential, it can miss problems because there is no test for a specific protocol. For example, Achilles Level I would not have detected the Siemens S7-1200 web server bug, because it does not send malformed HTTP messages in its tests. So while useful, passing a robustness test is a very small part of good ICS/SCADA security.

This is where the ISASecure program comes in. It starts with a CRT assessment phase similar to Achilles Level I (it actually uses the Achilles tool), but then it adds two more assessment phases:
• Functional Security Assessment (FSA)
• Software Development Security Assessment (SDSA)

These assessments are where real progress in ICS and SCADA security will be found, because they consider the underlying design, development practices and vendor recommended deployment of the product, rather than just whether it stands up to some bad traffic.

The tests can determine if the product allows the user to correctly manage passwords (FSA-AC-2.1.1) or whether the development team has created and managed a Threat Model (requirement SDSA-SRA-3) during the design process. Tests like this are likely to uncover a large range of security issues, or even better, ensure that companies follow processes that stop vulnerabilities from being created in the first place.

Don’t get me wrong – ISASecure certification is no guarantee of perfect product security, any more than having a medical certificate guarantees a doctor is top notch. But Achilles Level I CRT is like being admitted to med school – important, but only one step on the way.

ISASecure certification is like the credential that confirms the doctor has passed all the med school exams, survived the hands-on trials of residency and is now approved to practice medicine. Frankly I would prefer to trust my life to the latter, even if the former might be cheaper. The same applies to control systems.

Digital Bond’s Dale Peterson makes some good points in his comments on the limitations of ISASecure Level I. He’s right that it is a “positive trait,” not a guarantee of a product’s security. However, I am glad to see that we are now at the point of talking about more education and better communication of ISASecure’s various levels, rather than where we before, with no independent auditing of a device’s security capabilities.

If we want secure control systems, end users need to start demanding any system they purchase is ISASecure certified. To accept less is to continue to accept flawed systems that hackers will attack with ease.

Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.

Leave a Reply

You must be logged in to post a comment.