2007 Articles

Top Ten SCADA Security Stories in 2007

Here is our list of the top ten stories rated by immediate and expected long term impact on the community. 1) Aurora An easy choice for number one. Even though we have had both control system and IT experts give apocalyptic quotes for years on how they could easily...

read more

Please Stop Me

Someone please smack me in the head if I am dumb enough to wade into that tired IT vs. Control System discussion again.

read more

Wonderware Disclosure Saga

Saga may be overstated since the process did not take that long, but it was a classic example of why we don't agree with leaving disclosure decisions up to the vendor - - or the researcher. Our approach is to let a coordination center, US-CERT in this case, determine...

read more

Using Flow Data in Anomaly Detection

Many of the large electric and oil/gas asset owners either have purchased a Security Event Manager (SEM) or use a managed security service provider (MSSP) for monitoring security on the enterprise network. Now that we have identified meta security events occurring in...

read more

DoE Research Project Details

A few friends have pointed out we need to come up with a project name or acronym for our DoE research contract project. Suggestions would be welcome. There are three parts to this project, and all are described in more detail in the Project Narrative. Compliance...

read more

Digital Bond Selected for Dept. of Energy Research Funding

We are thrilled to announce that Digital Bond was one of five companies selected for negotiation of awards of up to $7.9 million in DOE funding to develop and integrate technologically advanced controls and cyber-security devices into our electric grid and energy...

read more

Faux Congressional Testimony on NERC / ERO / CIP

Representatives from NERC, Joe Weiss and a couple of other experts will be testifying tomorrow to a subcommittee of the House Committee on Homeland Security. Of course as nothing more than a researcher/consultant/humble blogger I was not asked to testify, so I'll...

read more

Wireless Learn from Windows Lament

The 90's were filled with hope on the IT / SCADA front. Asset owners could save money by just moving to the Windows platform. Put web servers in most systems so the browser is the easy to use, universal GUI. Connect everything so information can be used throughout the...

read more

Risk, Threat and Wireless

Wireless for control systems has been a hot topic for a few years now, and recently we have been treated to the efforts of different groups, i.e. ISA 100 and WirelessHart, to develop a standard that includes security. Which leads to the question how does the use of...

read more

The Dangerous Silent Fix

Frustration building . . . must keep civil tone . . . another silent fix in widely used control system application passes by our doorway . . . This site has had a running series of blog entries on vulnerability disclosure including discussions on the dangers of the...

read more

Secure By Default … No Sale

It is so disheartening. Secure By Default is a straightforward and critically important security concept. The default settings for a device or application should be secure settings so an administrator must turn off security to weaken rather than turn on security to...

read more

Software Quality Varies in OPC Servers

The headline on this blog is hardly shocking, but software quality does not get enough attention in the control system community. We now have three strong data points that show all OPC servers are not created equal. 1. The latest is Landon's work to verify...

read more

OPC Vendor Security Limitation?

There's been a delay in releasing the final paper of the three part OPC Security Whitepaper series as the paper has been going through some extensive testing. Our initial testing was with a limited amount of servers as a large amount of OPC servers exist and we've...

read more

NERC v. ERO

Discussions with Joe Weiss and reading his recent blog entry have me thinking. While I don't agree with his assessment of the value of the current CIP standards as written, he might be on to something with potential disharmony between FERC's expectations and NERC's...

read more

Shared SCADA WAN: Enterprise, Surveillance and VoIP

A few new fronts are emerging in the battle between physical and logical separation of SCADA WAN's. When we perform assessment and architecture projects we always ask if there are any new applications or changes expected in the near future. Increasing we hear that IP...

read more

When More Security Is Not The Answer

We are increasingly running into situations where asset owners are cobbling together multiple security controls to do unnecessary and risky functionality they would never consider in the past. The most common example is providing the ability to manage and configure...

read more

Is Sloppy Use of SCADA a Problem?

I'm prepping for my podcast interview with Joe Weiss on security awareness in control systems and came across one point that didn't make the cut, but is still interesting. Some people in the community get very upset when SCADA is used as a term to cover all control...

read more

Vivid Example for Separate Domain/Tree/Forest

Many SCADA and DCS vendors are integrating their applications with Microsoft's Active Directory. There are some benefits to this: Control system vendors no longer need to develop and maintain user management system and other directory services (typically not a core...

read more

Rockwell Automation Cybersecurity

We just finished a series of SCADApedia entries on security in Rockwell Automation (RA) controllers and software applications. The ControlLogix PAC (powerful PLC) is a prime example of why we are fans of the simple, little IEEE P1686 standard effort. The Logix family...

read more

Who Will Win Field Security Appliance Market?

I'm not going to pick a winner this early, but two factors will determine the winner if history is any guide. 1) The better management system Check Point dominated the firewall market for a very long time primarily based on the easy of use and power of their firewall...

read more

March Monthly Checkup: Patching Policy and Implementation

I was waiting for something to inspire the March Monthly Checkup topic and the OPC Server Vulnerability Notes / Patching discussions came through just in time. Here are your check-up tasks for this month: 1) Verify management accepts the risks and approves your...

read more

CS2SAT

The Control System Cyber Security Self-Assessment Tool (CS2SAT) was presented at the PCSF Annual Meeting earlier this month. I had promised a review of this tool, and it takes place in two parts. The facts of the CS2SAT are in a SCADApedia entry and my comments on the...

read more

Achilles Controller Certification

A lot to cover here so I'll break this into parts. Part 1 - Why Protocol Stack Testing Achilles is a black box testing platform. For those new to testing, the term black box means the tester and tools have no internal knowledge of the device being tested. Achilles...

read more

PCSF – Day Two

Update: Day two details have been added. Today is Solutions Day with four tracks. Nate Kube and I are presenting the Achilles Controller Certification from 10 - noon. LOGIIC First up for me is the Project LOGIIC presentation. I am lying in wait for Q & A when I...

read more

PCSF – Day One

We are off and running . . . I’d estimate about 150 attendees (officially 200 registrants) and a quick poll showed about 75% are first time PCSF attendees. Nice to see so many fresh faces and asset owners. This PCSF event is taking a different approach in focusing on...

read more

Achilles Controller Certification

Digital Bond is a small, I like to say boutique, SCADA security research and consulting practice. We try to focus on projects that will have a significant and near term positive impact on the SCADA security community. I believe we have a pretty good track record with...

read more

You Can’t Tell The Players Without A Scorecard

There has been a fair amount of movement in some of the big names in SCADA security over the last year. To summarize: The latest is Joe Weiss leaving Kema and joining Applied Control Solutions, LLC. A friend pointed this out on the PCSF agenda. I call Joe the Paul...

read more

February Monthly Check: Perimeter Security Review

No Enterprise Network / Control System Firewall Hopefully, you have implemented a firewall capability at the enterprise network / control system perimeter. Consultants use words like best practice, good practice, and recommended practice. There is another term...

read more

Microsoft Says No Special Manufacturing OS

Last week the Microsoft Manufacturing User Group (MsMUG) held a three day event with about 150 people in attendence. I was unable to attend because of S4, but I did get some highlights from Jim Bauhs of Cargill. There was a rumor in the community that Microsoft might...

read more

S4 – Day Two in Review

The day kicked off with two complementary OPC Exposed Presentations. Session 7 - OPC Exposed, Part I by Lluis Mora of Neutralbit Lluis's paper looked at OPC server implementation vulnerabilities. He detailed some of the 24 test cases he ran against 75 different OPC...

read more

S4 – Day One in Review

The blog has been very quiet because we have been fully occupied with Digital Bond's SCADA Security Scientific Symposium (S4). Liveblogging didn't work well because I was communicating with the Virtual Attendees, handling Q&A, and sitting right next to the...

read more

US-CERT Discloses Sisco ICCP Stack Vulnerability

It is interesting watching the system work from the researcher perspective and see the responses and time line. This was one of the first vulnerabilities that we processed through our vulnerability disclosure policy. Matt identified this in late February and it went...

read more

Tainted Powerpoint the Culprit in Recent Utility Hack

Brian Krebs at the Washington Post's Security Fix has more detail on a recent utility hack and some grim predictions for 2007 Microsoft Office. The cyber attack last month against a U.S.-based public utility came wrapped in a Microsoft PowerPoint document featuring...

read more

FERC Comments on NERC CIP Standards

For those coming in late: 9/11 and multiple worms increase cyber security concern for the electric gridNERC representing bulk electric systems decides cyber security standards are requiredAugust 2003 NERC issues temporary Urgent Action Cyber Security Standard 1200...

read more

OPC Exposed Part II

In an earlier post I gave a preview of Ralph Langner's paper and DoS tool for OPC implementations.  We have a second brilliant OPC paper at S4 from Lluis Mora of Neutralbit in Barcelona, Spain. Lluis's paper focuses on implementation vulnerabilities in OPC...

read more

UPCOMING EVENTS

 

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host.

Sept 12 in Phoenix

I spoke at a private company event.

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.

 

 

2007 Articles

by | Jul 12, 2019