Here is our list of the top ten control system stories for 2008. 1. Vulnerabilities Discovered by Non-Control System Company Core Security and others outside of the control system community started testing freely available demo versions of control system applications...

Bill Gross has an interesting comment on Jason's regulation post. Here is the key excerpt: To that end, you would see the virtual elimination of security flaws in systems if you target you regulation in a way that:1) Makes vendors accountable for financial impacts...

I finally had a chance to read through the Center for Strategic and International Studies [CSIS] paper on Securing Cyberspace for the 44th Presidency. This group appears to have some clout so some of the recommendations may come to pass. Still mulling the...

Let's get this out of the way application whitelisting does not equal perfect security. But neither do any of the other host-based security products that are competing to get on your control system servers and workstations. The bloated AV programs that do...

Let's face it, no matter how hard we try, or how elaborate the defense, sometimes the fox gets in the hen house (Or sometimes it just eats at McDonald's). When I was in college taking a computer systems design course my professor stated that computer technology is...

I was first encouraged and then disappointed to read the press release announcing Honeywell's Experion C300 Controller had achieved Achilles Level 1 Certification. I was pleased to see another vendor stepping up to get their controller protocol stack tested....

Last month I ran across the CoreTrace booth at the ISA Expo. Ever since that happenstance introduction, their name and the concept behind their Bouncer product keep popping up in conversations, news feeds, and even Google advertising -- mostly in the context of...

Antivirus is one of those things that is a standard recommendation on almost any assessment you'll find, but maybe this is something we need to start rethinking.  We all know that for the most part the current AV model is an arms race that’s not very functional,...

Last month I mentioned briefly that there are additional functions of Nessus credential checks beyond the policy compliance plugins we're using for Bandolier. The example in that blog post allowed you to "scan" all 65,535 ports safely and with minimal network traffic....

Having been involved in this industry (control system security) for the last five years, a quick examination of what progress has been made in securing critical infrastructure leads me to the conclusion of "not very much". The industry if still plagued with the...

If you are responsible for defending networks and systems, you have many different tools at your disposal (unfortunately so do the attackers). There are many products on the market, from firewalls to intrusion detection/prevention systems, that aim to protect your...

Recently I've attended a few training classes/sales pitches on some new field devices coming into the market, and a trend that I'm seeing is more and more of them are being built on x86 processors running embedded Windows operating systems.  A lot of things can...

Digital Bond has just completed a security assessment report on the OPC Unified Architecture [UA] protocol, and we will be issuing a series of blog posts supported with SCADApedia content on the results. The assessment included both a paper security review of the...

Digital Bond opened our doors ten years ago today on Sept 28, 1998. Like most businesses, Digital Bond morphed over time. Gen 1 was a company designing a smart card solution to secure Internet brokerage transactions. We actually did pharming demonstrations with...

As there has been a furor of emails on various lists regarding the recent Citect vulnerability Metasploit modules I thought a little discussion of the risk of Non-Disclosure might prove valuable. Disclosure and the development of such a modules do increase exposure....

Last week at PCSF there were a few issues that seemed to work their way into every presentation and discussion.  It seems that both vendors and asset owners are looking hard for the government or some other entity to provide vulnerabilities with some sort of risk...

Some companies, both vendors and asset owners, continue to give away the proverbial "baby with the bath water." Case in point (from an article at automation.com but which was a general press release): August 7, 2008 - Reykjavik Energy selected ABB to upgrade and...

Matt Franz in a recent post at his blog noted, in a very tongue in cheek manner, that some of Digital Bond's recent Scadapedia articles serve to "arm attackers". As security through obscurity does not exist it is important to understand that the dissemination of...

Portaledge is a tool being developed by Digital Bond with Department of Energy funding that uses OSIsoft's PI server interfaces to aggregate security events from IT and control system data sources and then correlate them through PI's ACE correlation engine to detect...

The combination of the lobbying topic in the last podcast, Joe Weiss talking about a blue ribbon panel to advise the next President, and chats with team members have made me think about this a lot over the last week - - and I still don't have an answer that I believe...

Quickdraw is Digital Bond's DHS funded security project to develop an application that will generate security log events for PLC's and other legacy field devices with little or no security event logging capability.  While evaluting the technical requirements necessary...

Risk in our field is most often defined as risk = threat x vulnerability x consequence. And while it is a formula that is easy to define it is very difficult to give actual values to the variables. How do we quantitatively assign "real" values to the...

NERC got hit hard by Congress in the May Congressional Subcommittee Hearings, most notably on providing false information to Congress in the past. Some members of the Subcommittee went as far as saying NERC needed to be replaced as the ERO. There had to be some action...

The classic definition of the cornerstones of information security are: Confidentiality, meaning that the data that you send or receive can not be read by others.Integrity, the data is valid, has not been tampered with and originates from the authenticate...

I recently gave a presentation on the SCADA Honeynet Project. During the Question and Answer session, a number of attendees requested an implementation of the Honeynet that would allow them to use a spare physical PLC as the target. Evidently many asset owners had...

We’re often asked why we would do binary analysis on software that we already have the source code to, and Rob Graham over at Errata’s blog had a great post on this a few days ago about that very topic. As Graham says the key difference between coders and hackers (or...

Prior to the holiday I took a swing through the Pacific Northwest. Here are a few items: In Vancouver I stopped in on Wurldtech. Achilles continues to mature with lots of new configuration and reporting features, but what I found most interesting is the way Wurldtech...

Vulnerabilities were announced in Ruby during the last week. Details are still limited, but they’re starting to seep out as people start analyzing the patches/source tree. These vulnerabilities, and others like it in Python/Perl/etc are interesting for a lot of...

We’ve talked occasionally about using the Bandolier audit templates to help with various standards compliance efforts. There is now a SCADApedia article that more formally describes how and where Bandolier links to the NERC CIP requirements. Earlier this week I...

Defcon, for those who don't know, is the world's largest and most famous hacking conference. This year an unofficial contest is being held at Defcon and it is receiving negative feedback from some of the anti-virus (AV) vendors. The goal of the Race-To-Zero contest is...

The recent CitectSCADA vulnerability disclosure and the associated discussion on various control system mailing lists, blogs and forums raises some interesting assertions. Assertions that have piqued my interest in the past when...

Previously we recorded a podcast on the minimal install / small attack surface install of Windows Server 2008 called Server Core. One benefit of a smaller attack surface should be fewer security patches. We made some estimates on the reduced patching if a Server Core...

We have been working feverishly on Bandolier for several months now and have blogged about some of the issues and progress along the way. Notably absent, however, has been discussion about which applications we have assessed and which respective audit files are under...

I'm pleased to announce we have begun work on another research project. This one is funded by the Department of Homeland Security, Science and Technology Directorate. The project is the PLC Passive Security Event Log Generator, which we will be calling Quickdraw....

If the "holy grail" for an hacker is to execute a vulnerability that allows for the installation of a payload (rootkit) that provides control of a remote system, how do defenders prevent this? Experience has shown that...

After a few days of letting the Congressional Hearings on security of electric sector control systems sink in here are the three items I found most interesting and important. 1. The fact that NERC previously provided false information to Congress on Aurora mitigation...

We have written quite a bit about intrusion detection and developed SCADA signatures to detect attacks on the SCADA or DCS IP networks and associated DMZ's, but let me introduce another buzzword to the community: extrusion detection. The idea behind extrusion...

I've been involved to varying degrees with security standards efforts for way too long now - - almost twenty years. Most recently with the ISA 99 Part 4 effort. For a while I was actively involved in that effort in support of a contract with Wurldtech. When Bryan...

Joshua Corman of IBM/ISS gave a presentation at Interop Las Vegas yesterday titled “Unsafe at any speed: 7 Dirty Secrets of the Security Industry”. Here’s the Network World report. The title alone is interesting – making a reference to automobile safety – especially...

The field security appliance market just got smaller - - or larger. Innominate was one of the first companies to develop a firewall for the plant floor or SCADA field sites. We have covered them in the blog over the years. Innominate announced at Hannover Messe that...

Security and reliability are two terms used quite often in our industry. Though I have been in the control systems realm a short time, it appears that many people view the two subjects as opposing forces. I believe that is most cases security should be considered an...

Reversing patches to create exploits is nothing new, and it tends to occupy the time of a lot of security researchers around the 2nd Tuesday of every month, but an interesting research paper was published recently from a few graduate students at CMU, Berkeley, and...

I'm sure many of you have been spammed by an email from TDI about a "NERC CIP Cyber Asset Alert". I personally received three alert emails plus a blog spam. We get a lot of this type of material, but this one topped anything we have received lately in pure FUD and...

The ISA99 WG4 was discussing a security methodology called BSI IT grundschutz that was new to me. Hans Daniel provided a very concise and useful summary that he kindly allowed us to post on the blog. UPDATE: A link to the English version of IT grundshutz courtesy of...

When I first got started with Bandolier, I thought the bulk of the value would be in the security checks of the control system application itself. Getting to this information involves digging into how the app works, identifying the most secure configuration, and...

Our Dept. of Energy funded research project will result in a number of different tools for Digital Bond site subscribers. We have blogged on Bandolier, the development of control system security audit templates for Nessus and other vulnerability scanners. Now let me...

The conference was organized by Dr. Mauricio Papa, Assistant Professor of Computer Science at the University of Tulsa, Dr. Sujeet Shenoi, F.P. Walter Professor of Computer Science at the University of Tulsa, and Eric Goetz, Associate Director for Research at I3P, and...

In last week's Friday News and Notes we mention a story on access and management of PLC's via Blackberry. This relates to one of the frequent and interesting discussions we have with asset owners when they are considering exposing their control system in new ways....

There still are a tremendous amount of wasted cycles in the community discussing and arguing that control system security is different than IT security. So what? Who cares? Isn't almost everything different? Water (canal) SCADA is different than pipeline SCADA is...

I was a little late catching it, but Richard Bejtlich made a post titled “First They Came for Bandwidth...” over on his TaoSecurity blog last week that is worth reading. He argues that one of the problems with being in a defensive position with regard to security is a...

Dale posted an introduction to Bandolier a couple of weeks ago. I am increasingly excited about the value of this project. We are working with asset owners and vendors to identify a hardened configuration for twenty control system applications. We are then developing...

A few years back, the traditional IT world was debating the merits of virtualization. There were concerns about performance, security, vendor support, and a host of other issues. Fast-forward to today, however, and you’ll find virtual machines in use in nearly every...