Update: Day two details have been added.

Today is Solutions Day with four tracks. Nate Kube and I are presenting the Achilles Controller Certification from 10 – noon.


First up for me is the Project LOGIIC presentation. I am lying in wait for Q & A when I will ask again how the community can get access to the meta events and the correlation scripts for this SCADA SEM project. To date all we can say the product proved is SEM products will work in a control system, but this is not surprising.

The demo is interesting showing replayed data from the testbed and the ArcSight SEM view. Some good examples showing failed Telnet logins to an OMNI flow computer, configuration changes to this flow computer. There might be something here – – if they release some info.

At Q&A there is still no plan to release meta events and correlation rules, but they will be looking into it. I still am a fan of this project, but the impact will be minimal, essentially limited to ArcSight users, if the information is not made available. Any loyal blog readers with some pull please use your influence to help.

Achilles Certification

I need to write on this in detail later. Obviously we are very excited about the potential of this cert to significantly raise the bar on controller security and assurance.


The DHS sponsored Control System Cyber Security Assessment Tool (C2SAT) is a very useful interactive questionnaire and assessment tool. It lets you define your network and then asks a serious of security and consequences questions. Great features include the way it can be tailored to a standard such as NERC CIP, links to the pertinent documentation, and the reports that can be generated.

They were giving out this tool so I will review and blog in more detail in the next week. This was one of the most useful and impressive ‘solutions’ I saw at PCSF.


This Sandia project began as SLAP and now is the Open PCS Security Architecture For Interoperable Design (OPSAID). It is a set of open source Linux software (Snort, iptables, systlog-ng, ssh, etc) packaged together for a field security device.

This is similar to what we did in the SCADA Honeynet. We took tools from the Honeynet Project, open source java services such as jamod and fizmez, added some content, pre-configured all this, and distributed it in an easy to deploy images.

It will be interesting to see how they will distribute this. For example, it could be distributed as a bootable CD with a simple step-by-step config GUI. Also, what additional content, management or configuration glue has been added. We will definitely download and evaluate this when it is available.

The best thing about this is Sandia will be releasing this for free. This may not sound like much, but it is a radically different approach.

I attended a subsequent meeting where there were discussions on interoperability. This needs to be better defined. Is the effort on interoperability for mutual authentication? Security log messages? Encryption? Deploying IDS/IPS signatures? Management? I’m less saguine that anything of value will come from the interoperability effort.


Eric Byres of Byres Security presented his Tofino field firewall / security solution. I saw serial number 001. Beta units are going out this month and first customer ship is scheduled for August.