Here is our list of the top ten stories rated by immediate and expected long term impact on the community. 1) Aurora An easy choice for number one. Even though we have had both control system and IT experts give apocalyptic quotes for years on how they could easily...

Someone please smack me in the head if I am dumb enough to wade into that tired IT vs. Control System discussion again.

Saga may be overstated since the process did not take that long, but it was a classic example of why we don't agree with leaving disclosure decisions up to the vendor - - or the researcher. Our approach is to let a coordination center, US-CERT in this case, determine...

Many of the large electric and oil/gas asset owners either have purchased a Security Event Manager (SEM) or use a managed security service provider (MSSP) for monitoring security on the enterprise network. Now that we have identified meta security events occurring in...

A few friends have pointed out we need to come up with a project name or acronym for our DoE research contract project. Suggestions would be welcome. There are three parts to this project, and all are described in more detail in the Project Narrative. Compliance...

We are thrilled to announce that Digital Bond was one of five companies selected for negotiation of awards of up to $7.9 million in DOE funding to develop and integrate technologically advanced controls and cyber-security devices into our electric grid and energy...

Representatives from NERC, Joe Weiss and a couple of other experts will be testifying tomorrow to a subcommittee of the House Committee on Homeland Security. Of course as nothing more than a researcher/consultant/humble blogger I was not asked to testify, so I'll...

The 90's were filled with hope on the IT / SCADA front. Asset owners could save money by just moving to the Windows platform. Put web servers in most systems so the browser is the easy to use, universal GUI. Connect everything so information can be used throughout the...

Wireless for control systems has been a hot topic for a few years now, and recently we have been treated to the efforts of different groups, i.e. ISA 100 and WirelessHart, to develop a standard that includes security. Which leads to the question how does the use of...

Frustration building . . . must keep civil tone . . . another silent fix in widely used control system application passes by our doorway . . . This site has had a running series of blog entries on vulnerability disclosure including discussions on the dangers of the...

It is so disheartening. Secure By Default is a straightforward and critically important security concept. The default settings for a device or application should be secure settings so an administrator must turn off security to weaken rather than turn on security to...

The headline on this blog is hardly shocking, but software quality does not get enough attention in the control system community. We now have three strong data points that show all OPC servers are not created equal. 1. The latest is Landon's work to verify...

There's been a delay in releasing the final paper of the three part OPC Security Whitepaper series as the paper has been going through some extensive testing. Our initial testing was with a limited amount of servers as a large amount of OPC servers exist and we've...

Discussions with Joe Weiss and reading his recent blog entry have me thinking. While I don't agree with his assessment of the value of the current CIP standards as written, he might be on to something with potential disharmony between FERC's expectations and NERC's...

A few new fronts are emerging in the battle between physical and logical separation of SCADA WAN's. When we perform assessment and architecture projects we always ask if there are any new applications or changes expected in the near future. Increasing we hear that IP...

We are increasingly running into situations where asset owners are cobbling together multiple security controls to do unnecessary and risky functionality they would never consider in the past. The most common example is providing the ability to manage and configure...

I'm prepping for my podcast interview with Joe Weiss on security awareness in control systems and came across one point that didn't make the cut, but is still interesting. Some people in the community get very upset when SCADA is used as a term to cover all control...

Assessing the security posture of an asset owner's SCADA or DCS typically does not involve looking for new, zero-day attacks. Instead, it focuses on identifying protection against known vulnerabilities, as well as good practice configuration and implementation,...

This is a fascinating real world case study and example why protocol stack security and reliability is so important. From a NRC report dated April 17, 2007: On August 19, 2006, operators at Browns Ferry, Unit 3, manually scrammed the unit following a loss of both the...

Many SCADA and DCS vendors are integrating their applications with Microsoft's Active Directory. There are some benefits to this: Control system vendors no longer need to develop and maintain user management system and other directory services (typically not a core...

We just finished a series of SCADApedia entries on security in Rockwell Automation (RA) controllers and software applications. The ControlLogix PAC (powerful PLC) is a prime example of why we are fans of the simple, little IEEE P1686 standard effort. The Logix family...

I'm not going to pick a winner this early, but two factors will determine the winner if history is any guide. 1) The better management system Check Point dominated the firewall market for a very long time primarily based on the easy of use and power of their firewall...

I was waiting for something to inspire the March Monthly Checkup topic and the OPC Server Vulnerability Notes / Patching discussions came through just in time. Here are your check-up tasks for this month: 1) Verify management accepts the risks and approves your...

The Control System Cyber Security Self-Assessment Tool (CS2SAT) was presented at the PCSF Annual Meeting earlier this month. I had promised a review of this tool, and it takes place in two parts. The facts of the CS2SAT are in a SCADApedia entry and my comments on the...

A lot to cover here so I'll break this into parts. Part 1 - Why Protocol Stack Testing Achilles is a black box testing platform. For those new to testing, the term black box means the tester and tools have no internal knowledge of the device being tested. Achilles...

Update: Day two details have been added. Today is Solutions Day with four tracks. Nate Kube and I are presenting the Achilles Controller Certification from 10 - noon. LOGIIC First up for me is the Project LOGIIC presentation. I am lying in wait for Q & A when I...

We are off and running . . . I’d estimate about 150 attendees (officially 200 registrants) and a quick poll showed about 75% are first time PCSF attendees. Nice to see so many fresh faces and asset owners. This PCSF event is taking a different approach in focusing on...

Digital Bond is a small, I like to say boutique, SCADA security research and consulting practice. We try to focus on projects that will have a significant and near term positive impact on the SCADA security community. I believe we have a pretty good track record with...

There has been a fair amount of movement in some of the big names in SCADA security over the last year. To summarize: The latest is Joe Weiss leaving Kema and joining Applied Control Solutions, LLC. A friend pointed this out on the PCSF agenda. I call Joe the Paul...

No Enterprise Network / Control System Firewall Hopefully, you have implemented a firewall capability at the enterprise network / control system perimeter. Consultants use words like best practice, good practice, and recommended practice. There is another term...

Last week the Microsoft Manufacturing User Group (MsMUG) held a three day event with about 150 people in attendence. I was unable to attend because of S4, but I did get some highlights from Jim Bauhs of Cargill. There was a rumor in the community that Microsoft might...

The day kicked off with two complementary OPC Exposed Presentations. Session 7 - OPC Exposed, Part I by Lluis Mora of Neutralbit Lluis's paper looked at OPC server implementation vulnerabilities. He detailed some of the 24 test cases he ran against 75 different OPC...

The blog has been very quiet because we have been fully occupied with Digital Bond's SCADA Security Scientific Symposium (S4). Liveblogging didn't work well because I was communicating with the Virtual Attendees, handling Q&A, and sitting right next to the...

It is interesting watching the system work from the researcher perspective and see the responses and time line. This was one of the first vulnerabilities that we processed through our vulnerability disclosure policy. Matt identified this in late February and it went...

Brian Krebs at the Washington Post's Security Fix has more detail on a recent utility hack and some grim predictions for 2007 Microsoft Office. The cyber attack last month against a U.S.-based public utility came wrapped in a Microsoft PowerPoint document featuring...

When we get on our soapbox and stress the importance of identifying and fixing what we believe our widespread implementation vulnerabilities in SCADA devices and applications we frequently hear "everyone knows the SCADA protocols have no security so what is the point...

For those coming in late: 9/11 and multiple worms increase cyber security concern for the electric gridNERC representing bulk electric systems decides cyber security standards are requiredAugust 2003 NERC issues temporary Urgent Action Cyber Security Standard 1200...

In an earlier post I gave a preview of Ralph Langner's paper and DoS tool for OPC implementations.  We have a second brilliant OPC paper at S4 from Lluis Mora of Neutralbit in Barcelona, Spain. Lluis's paper focuses on implementation vulnerabilities in OPC...