Security unconscious?


Sep 12, 2005

AT THE HONEYWELL User Group (HUG) in June, Peter Zornio announced that Honeywell’s new controller series had passed the BCIT (British Columbia Institute of Technology) cybersecurity testing, saying that it had been the only one with a passing grade. “The C300 and Control Firewall is the most secure control device combination that BCIT has tested to date. It is the only system that we were unable to disable in some manner,” Zornio said, quoting Eric Byres of BCIT.

Several other manufacturers protested, but Byres confirmed it in an email to Control’s Walt Boyes. “Honeywell (and you in turn) had me quoted correctly,” he said. “Honeywell and I had quite a few quotes going back and forth prior to the HUG and I forgot I even said this one.” 

“So far we have tested five controllers for three companies and have another three in the hopper for the fall,” he continued. “The tests uncovered nine critical vulnerabilities, 42 warning notices, and seven informational notices,” Byres said.

“In addition,” he continued, “two of these vulnerabilities hard-faulted the application logic running in the CPU." [That would seem to mean the controller froze–ed.]

Byres says he can't disclose the names of the companies, or model numbers of the controllers, but we know that the Honeywell controllers he tested passed. So, ask your vendor if their controller passed the BCIT security analysis and, if not, ask why not.

Byres presented on the results (minus the names) at the InfraGuard conference in Washington, D.C., in mid-August, and will give us more details on the results.