From Eric Byres at BCIT: “so far we have tested five controllers for three companies and have another three in the hopper for the fall. The tests uncovered:
9 critical vulnerabilities;
42 warning notices;
7 informational notices.
Two of these vulnerabilities hard-faulted the application logic running in the CPU.”
Eric says he can’t disclose the names of the companies, or model numbers of the controllers (but we know that the Honeywell controllers he tested passed). So ask your vendor if their controller passed the BCIT security analysis, and if not, why not.
Byres says he is presenting on the results (minus the names) at the InfraGuard conference in Washington DC in mid-August, and will give us more details on the results.
What do you think about this? I’d like to hear from you.