We kick off the January Edition of This Month In Control System Security Podcast with a brief year in review titled “Oh Crap” – – to keep it PG. Last year was an eye opener in many ways. Of course Stuxnet, but much more than just that.
Next I talk with Eric Byres, founder of Byres Security, for about ten minutes on the new version of Tofino for Honeywell safety systems. This is an interesting tool to control the control system / safety system interface. Very limited in what gets through to the safety system, basically just Modbus TCP reads. It is also a zero config device which is very attractive for the ICS space.
We finish the month with an indepth interview with Andre Ristaino of ISA’s Security Compliance Institute and John Cusimano of Exida about ISCI’s new Embedded Device Security Assurance certification for PLC’s and RTU’s. It is up and running with products being tested. Takes about 4 to 6 man weeks and costs $25K to $60K, of course those are only ballpark numbers and could be higher or lower based on the product complexity.
The certification consists of a communication robustness test / protocol stack testing like Achilles, functional security assessment on product security features, and a security development lifecycle assessment. The first two are rather straightforward, but the third is harder to audit consistently and has legacy product issues that we discuss in the podcast.
Note: We also invited WIB on the podcast to discuss their similar (competitive?) Process Control Domain Vendor Security Requirements and certification program, but they declined to participate. Hopefully we will get them on in a future podcast.