Wurldtech Certifies Schneider To Certify Schneider

Tortoise (image by Peter Pearson)Wurldtech recently certified Schneider Electric as a Communication Certifier.  It took me a bit to wade through what this really means.  Schneider is now authorized to run the Wurldtech Achilles device against Schneider’s own systems, and give their own devices a pass/fail based on the results.

It seems a conflict of interest to have the vendors certifying their own products.  I’m going to be quite skeptical of Schneider-blessed Achilles certification on Schneider equipment, if only because Schneider has all the motivation in the world to sweep bugs under the rug.  Siemens, too, as they were also certified a few months ago as a Communication Certifier.

While it may sound far-fetched at first, it could happen.  Vendors like Schneider and Siemens haven’t been entirely honest on security in the past.  This is why I think that Wurldtech ought to only certify independent labs to perform the certification, even if the certification is simply plugging in a few wires and pushing a button.

It is worth mentioning that Communication Certification is pretty lame, in my opinion.  I mentioned this at the Smart Grid Security Working Group some months ago.  Communication Certification is just basic fuzzing, and not particularly thorough at that.  It makes no attempt to demonstrate unauthenticated administrative-level privileges, nor to analyze normal comms.  Proprietary protocols, even quasi-proprietary protocols such as the Modbus “Unity” protocol used by Schneider, won’t get a thorough shake from Achilles.  So long as the PLC under test keeps its sine-wave output going during test, the device passes.  The chances of a Modbus/TCP fuzzer hitting FC90, and filling in the session identifier, and initiating the ladder logic file transfer correctly, is as close to zero as makes no odds.  Those are the conditions that would be required to fail the Modicon/Unity Ethernet controller, and I doubt Schneider will go so far as to add that test to the Achilles system.

If all the minimum number of changes needed to certify all of the Basecamp systems were made, the results would actually look pretty much like they are now.  Schneider, GE, and Allen-Bradley would still have rogue ladder logic upload and gaping backdoors.  Since the ladder logic upload and backdoors are so much easier to exploit in a meaningful way than a buffer or integer overflow uncovered during fuzzing, I would consider all three hypothetically patched/Achilles certified devices to be in the same shape that they are now.  Koyo fixed their device a bit better and is pretty OK at this point, and SEL didn’t have much trouble to begin with.

I’d much rather see someone focus on Common Criteria protection profiles for automation devices.  While CC is far from perfect, it provides a more transparent evaluation process — and products are evaluated by an independent lab.  Achilles certification is for now a marketing tool, not a real metric of security or even reliability.

Image by Peter Pearson

3 comments to Wurldtech Certifies Schneider To Certify Schneider

  • Sihoko

    With the arrival of ISAsecure EDSA certification I would think Achilles certification becomes something of the past. EDSA certification requires a bigger effort and enforces changes in the development process, the scope for Achilles certification is much smaller.

  • Ok, I’ll byte.

    Security self certification tools are very helpful and perhaps any vendor not using good tools might be behind in their SDL.

    Self-cert tools help developers build more secure products. Readiness for independent 3rd party verification is a bonus.

    Certification programs lacking self certification tools really have little hope in keeping up with software development cycles.

    And to your point, security tools themselves must continue to improve.

  • Joe Gotam

    How is this different than a vendor performing its own product safety tests according to UL guidelines? Without an industry-standard, credible certification body for cyber-security, it seems that self-certification is better than no certification.

Leave a Reply