The initial focus of the Achilles industrial cyber security certification was on the robustness of major industrial embedded controllers, such as distributed control systems (DCS’s) safety integrated systems and other SCADA field devices (PLC’s RTU’s and IED’s. These legacy control systems had a bad history of falling over when subjected to unexpected traffic and were not well positioned to deal with the ever-increasing volume and complexity of network traffic that comes with increased connectivity. Moreover, as the overall threat landscape evolved and targeted attacks from malware and viruses increased, these systems represented a major source of risk for end-users.
However, although testing network stack robustness was extremely important, and the first area that needed to be addressed, it was only one small piece of and overall risk profile of industrial networks. Other products such as industrial connectivity drivers, control application software and other network components were also major areas of vulnerability and an issue with any one component could jeopardize the integrity and continuous operation of an industrial process. In order to address this gap, Wurldtech expanded our Achilles Communications Certification program to include new categories of products such as control applications, host-based devices, network components. These categories are based on the ANSI ISA SP99 emerging cyber security standard.
Today, the Achilles Communications Certification program has become the defacto international standard to which the security and robustness of industrial systems is measured and now boasts over 25 certified systems ranging from major industrial controllers and their HMI’s, to smart meters and communication gateways. Further, the Achilles Certified™ benchmark has been globally accepted by end-users is now mandated by many of the world’s largest operators for critical infrastructure systems.
Certification Benefits For Equipment Manufacturers
Ensuring your industrial process automation, control and safety systems are Achilles Certified™ will:
- Help sales associates better address security concerns in new project opportunities or RFP’s with standardized responses and marketing materials.
- Help generate more revenue by differentiating your products from those of your competitors in the marketplace.
- Lower your risk of being excluded from new project opportunities from customers who are insisting on Achilles Certified equipment
- Reduce the cost and complexity of integrating future cyber security testing standards and regulations
Benefits For End Users
Insisting on Achilles CertifiedTM industrial process automation, control and safety systems will:
- Help you better communicate cyber security expectations to vendors with a globally-recognized benchmark which can be applied to all suppliers.
- Simplify the procurement process for plant operators by providing a common, organization-wide benchmark for all new system purchases.
- Reduce the cost associated with comparing claims of system “security” from vendor sales associates.
- Help ensure your systems and networks meet current and emerging international cyber security standards (e.g ISASP99) and government regulations (e.g NERC/CIP)
A Real World Example
In 2009, the Wurldech security assessment team conducted a statistical analysis of our proprietary vulnerability database called Delphi in order to measure the quantifiable reduction in risk found in the industrial systems that had been certified when compared to those that had not. Unfortunately, traditional vulnerability scoring systems, such as Carnegie Mellon University’s CVSS model, were based on enterprise IT frameworks and not appropriate for the industrial space where process functionality and operational integrity is a higher priority than items such as data protection. Therefore, our team had to redesign the model to come up with our own version of CVSS that better addresses the unique requirements of industrial systems. The output of the model for each system is called a resilience profile and is based on a systems ability to maintain operational integrity against the full suite of Achilles robustness tests. Below is a sample data set entry for one identified vulnerability:
| Device | Test Case | Monitors Impacted | Recovery Time | Rank |
| SIS PLC | Arp Cache Saturation Storm | Discrete, ICMP | Requires Restart | PLoV + PLoC |
A total of 25 devices were tested and categorized by the industry segment where they were most widely deployed and their pre-certification resilience profiles were created. The testing results are outlined below:
The pre-certification testing resulted in approximately 470 zero-day vulnerabilities, meaning that 470 unique vulnerabilities were identified that caused either a temporary/permanent lost of view and/or temporary/permanent loss of control - obviously an unacceptable level of risk for any system deployed in real-time industrial networks. The same devices were then analyzed after each had passed Achilles Level 1 certification and a comparison was drawn based on the number of vulnerabilities which were mitigated by the vendors during the process. The results were quite astounding with a 75% reduction in identified vulnerabilities. This represents an extremely compelling business case for certification and visually demonstrates why vendors should be testing and certifying their systems before deploying them live and end-users should be insisting on certified products.
Back to top