Industrial Automation Security

Wurldtech - Certification Overview

Wurldtech Delphi Program - Frequently Asked Questions (FAQ)

These are answers to some of the common questions and concerns that potential participants may have about the Delphi program. For additional questions, please contact the Delphi Program Director.

1. What is the Delphi Program?
2. What do I have to contribute in order to participate?
3. What are the benefits of the Delphi program?
4. What is the benefit for my participation as a vendor?
5. You’ve identified vulnerabilities in my devices. As a vendor, how do I work with Wurldtech to create mitigation strategies for my customers?
6. What is the benefit for my participation as a standards body / government organization?
7. I’m concerned about the disclosure of information that I provide to Wurldtech. You seem to have a huge conflict of interest between discovering vulnerabilities and then publicizing them in order to further your business. Are you documenting and publishing vulnerability information?
8. What use are you going to make of the vulnerabilities that you find?
9. What is the Delphi vulnerability database useful for?
10. What happens if two or more assets owners want to send in the same PLC?
11. Isn’t this handled by the US or multi-national CERT organizations?
12. Do I still need Achilles Satellite or Certification?
13. What are the differences between the Achilles Delphi Program, and Achilles Certification?
14. If the Delphi tests show my device exhibits no vulnerabilities, can I use this to get my device Achilles Certified with this program?
15. What are the differences between the Achilles Delphi Program, and Achilles Health Check service?
16. Why are you putting efforts into defining your own taxonomy, rather than contributing to a definition through a standards body like ISA-99?
17. Why test individual devices to see if they are secure? Isn’t this inconsistent with recommendations that the vendor, the government, or ISA provide to customers?
18. How do you intend to measure risk when you don’t know my business?
19. How long are you going to be using my equipment, and when can I expect it back?
20. Can I remain completely anonymous?

1. What is the Delphi Program?

The Delphi program is a comprehensive effort led by Wurldtech Labs to test numerous devices found in currently deployed control systems for security vulnerabilities. It is the largest study of its kind to date.

The program will leverage the industry leading Achilles platform and also technologies from participating partners to provide an unparalleled view into the types, trends, severities, and potential impacts of cyber threats to currently deployed control systems.

The resulting data will be extremely valuable in establishing a business case for improved ICS security, conducting risk analyses, determining threat trends, and in analyzing and recommending security measures that accurately mitigate classes of threats.

2. What do I have to contribute in order to participate?

The detailed requirements for participation in the Delphi program are as follows:

Loan of 2 control devices, with programming/engineering software, representative of those used in your control operations, for a 2-month duration. Examples include PLC’s, RTU’s, SIS and DCS controllers
Appropriate documentation (user manuals, specification documents, etc.) for the control devices and programming software
A technical advisor as a point of contact that will advise the program’s security research team on all technical matters such as typical device configuration and operation, typical network traffic and loads, etc. The advisor should also be the recipient of information on any specific vulnerabilities that are found for your devices. It is estimated that this person will be required for about 4-6 hours for consultation
A program sponsor who will act as the corporate representative for the program on non-technical matters, including contracts, press releases etc.

We have publicly announced the program, and are presently scheduling delivery and testing of devices, on a first come first serve basis. The testing phase of the program is expected to occur over a 4-month timeframe, and the program is expected to be complete mid Q4 2008.

3. What are the benefits of the Delphi program?

Comprehensive Assessment of Cyber Security Vulnerabilities Present in Common Critical Assets
ICS are becoming increasingly integrated with enterprise, R&D, and engineering domains. ICS are also increasingly being connected to other equipment and software, and are migrating from proprietary to open systems. The end result is a high degree of complexity, increased operational costs, limited visibility and reliance on inappropriate data to make critical security decisions.

The Delphi program is the largest scale study to date, based on a broad cross section of devices, and will provide an unprecedented level of insight into the network robustness of a collective portfolio of control assets.

Proven Cost-Effective Risk Mitigation Strategies
The rapidly increasing incidents of network intrusion by more intelligent hackers and malicious software has led to an urgent re-prioritization of the need to develop mitigation strategies in response to these threats.

The Delphi program will provide specific methods for increasing security robustness by recommending and demonstrating risk mitigation strategies associated with all security vulnerabilities discovered.

Quantitative Modeling of ROI
The program results will form the basis for modeling the ROI on security strategies, providing a quantitative measure on the costs associated with reducing the risk to a given level determined by the participant.

4. What is the benefit for my participation as a vendor?

The primary benefits for vendors are:

The detailed information from Achilles testing on the network vulnerabilities present in your two submitted devices. This can be used to provide detailed risk mitigation strategies to your customers, as well as assist you in the development of next generation devices.
Relative security ratings of your two submitted devices. This will allow you to observe your device’s network resiliency in comparison to those tested. The information is sanitized so direct comparisons are not possible.

5. You’ve identified vulnerabilities in my devices. As a vendor, how do I work with Wurldtech to create mitigation strategies for my customers?

The Delphi program will help provide risk mitigation strategies for vulnerabilities found in the devices you have submitted. A follow on program, Achilles Inside will focus on providing specific remedies (in the form of IPS signatures, firewall rules, and switch configurations for specific equipment) for identified vulnerabilities. This will provide vendors with the prescriptive information to mitigate these vulnerabilities (permanently, or while a patch is being created).

6. What is the benefit for my participation as a standards body / government organization?

Most agree that there is not enough real threat data to support security decisions in industrial automation and control installations. This has led to an inconsistent approach to risk analysis, allowing those effected to come to nearly any conclusion that they want, including doing nothing at all.

This initiative will provide a key tool for industry players to understand the real cyber risk to their environment, and more importantly what to do about it. By providing a uniform taxonomy for characterizing device vulnerabilities that is geared to industrial automation operations, and a database for tracking these vulnerabilities, a common ground is established for reasoning about the consequences of security vulnerabilities, and methods to mitigate against risks.

7. I’m concerned about the disclosure of information that I provide to Wurldtech. You seem to have a huge conflict of interest between discovering vulnerabilities and then publicizing them in order to further your business. Are you documenting and publishing vulnerability information?

Absolutely not. While we will record vulnerability information as it is detected, this database will remain confidential and protected with the same level of security and privacy as we are well known for with our customers. The information stored will be in the form of taxonomies and classes of vulnerabilities, that will provide actionable insight about what needs to be protected and the measures required to protect. Any derived information published through studies will be distributed to responsible parties, and will strictly conform to Wurldtech policy on Responsible Disclosure.

Again, as is Wurldtech’s position on all detected vulnerabilities, information to fix is the value, not information to exploit. We are not in the business of creating problems just to fix them. We are in the business of generating/supplying actionable information.

8. What use are you going to make of the vulnerabilities that you find?

The Delphi program will provide participants with an unprecedented level of insight into the robustness of their collective control systems and exacting knowledge for increasing such, with all findings grounded in demonstrable fact. The results will be stored in the Delphi vulnerability database. This database extends Wurldtech’s internal Delphi taxonomy and data model to further classify security threats according to the likelihood of occurrence on an operational network. We expect the resulting data to be extremely valuable in conducting risk analysis, determining threat trends, and in analyzing and recommending security measures that accurately mitigate classes of threats. This is consistent with Wurldtech’s mission to quantitatively increase the security and robustness of industrial automation systems.

9. What is the Delphi vulnerability database useful for?

The Delphi vulnerability database is useful for anyone requiring visibility into, and up-to-date information on, the robustness of active automation systems. Specifically, the database is designed to provide high value to:

Those who are responsible for assessing risk and mitigating threats to their operations and require a justifiable ROI to do so
Those who are responsible for providing greater robustness in their products

Since the Delphi database is continuously updated, the value of this information will continue to grow over time.

10. What happens if two or more assets owners want to send in the same PLC?

The chance of this happening is very small, due to the large numbers of different legacy devices (with different firmware / hardware revs) in operation across the automation space. However, as we plan to test as many different devices as possible for the program, we will inform asset owners if the same device is specified by 2 or more asset owners. And your best bet for minimizing the likelihood of this happening is to sign up early. Devices will be tested on a first come, first served basis, so if you are first in the queue with the device, you will be the recipient of the specific test results.

11. Isn’t this handled by the US or multi-national CERT organizations?

No… these organizations have limited tracking thus far on industrial automation vulnerabilities, and it is not a key focus for them. Additionally, they provide vulnerability and patch information, whereas Delphi goes into a much deeper level of understanding and information than simple vulnerabilities. Our premise is that large classes of vulnerabilities in controls can be mitigated with specific technical measures that can be implemented in technologies currently available, and its these classes and measures that we target.

12. Do I still need Achilles Satellite or Certification?

Delphi does not replace the value offered by these other Wurldtech products and services. The Achilles Satellite platform is a product geared primarily to assist vendor QA and Development Labs in developing new products that are robust. Likewise, Achilles Certification is a program targeted toward new control systems, and gives asset owners the assurance that the devices they choose will meet a specified level of security robustness. Delphi is specifically targeted toward identification of severity of vulnerabilities, and remedies that are effective at mitigating the risk of occurrences.

13. What are the differences between the Achilles Delphi Program, and Achilles Certification?

Achilles Certification is a program of specific tests with pass-fail criteria, which sets a standard bar for device security. The Achilles Delphi program is focused on finding as many vulnerabilities as possible within a fixed period of time, using finite resources.

14. If the Delphi tests show my device exhibits no vulnerabilities, can I use this to get my device Achilles Certified with this program?

No. At best, Delphi test results may uncover vulnerabilities that will need to be remedied before it will pass Achilles Certification. Failing to uncover significant vulnerabilities in Delphi testing does not however, guarantee that a device will pass Achilles Certification.

15. What are the differences between the Achilles Delphi Program, and Achilles Health Check service?

There are similar testing methods applied in the Achilles Health Check service, but Delphi provides much more information for many more devices. Health Check is meant as a basic building block in risk assessments or cyber security evaluations, to provide key early information and feedback. Delphi testing requires extensive amounts of time (up to two months). Health Checks only require a few hours per device.

16. Why are you putting efforts into defining your own taxonomy, rather than contributing to a definition through a standards body like ISA-99?

Standards bodies like ISA-99 play a critical role in defining standards for the Industrial Control systems industry. The most useful standards are those that are developed based on experience with the problems they are intended to address. There is a dearth of information about the nature and trends of security vulnerabilities across a broad range of legacy devices installed in existing operations. Wurldtech intends to contribute significantly to these standards by sharing experience gained in the Delphi program through testing a broad range of legacy devices for security vulnerabilities.

17. Why test individual devices to see if they are secure? Isn’t this inconsistent with recommendations that the vendor, the government, or ISA provide to customers?

Testing devices for security vulnerabilities provides information that enhances the industry’s ability to assess risk and provide cost effective remedies to mitigate against security vulnerabilities. This information is consistent with and supplements the current recommendations provided by vendors, government organizations, and standards bodies.

18. How do you intend to measure risk when you don’t know my business?

The Delphi program is not intended to produce quantitative measures of risk to operations. However, in order to determine a quantitative measure of risk you need to know the nature and types of security vulnerabilities for the devices that comprise your current operation. The Delphi program, by security testing a broad range of legacy and active devices, will provide quantitative data to accurately determine risk, and determine the costs associated with remediation to an acceptable level of risk.

19. How long are you going to be using my equipment, and when can I expect it back?

Wurldtech will be testing equipment in the order received, but it is expected that testing will be completed within 2 months of receipt of equipment. We will be scheduling receipt of equipment to keep within this time window; so prompt signup is advised in order to reduce the backlog of testing that may otherwise result.

20. Can I remain completely anonymous?

Wurldtech encourages participants to allow their participation to be published in press releases and other information to promote the program. It is expected that this will be of benefit to both parties. Information about the nature and types of devices that each participant provides will not be made publicly available. This is consistent with Wurldtech’s policy on Responsible Disclosure.