2008 Articles

Top Ten SCADA Security Stories of 2008

Here is our list of the top ten control system stories for 2008. 1. Vulnerabilities Discovered by Non-Control System Company Core Security and others outside of the control system community started testing freely available demo versions of control system applications...

read more

Control System Vendor Bailout

Bill Gross has an interesting comment on Jason's regulation post. Here is the key excerpt: To that end, you would see the virtual elimination of security flaws in systems if you target you regulation in a way that:1) Makes vendors accountable for financial impacts...

read more

Would the CSIS Suggestions To Obama Make a Difference?

I finally had a chance to read through the Center for Strategic and International Studies [CSIS] paper on Securing Cyberspace for the 44th Presidency. This group appears to have some clout so some of the recommendations may come to pass. Still mulling the...

read more

More Thoughts on Application Whitelisting

Let's get this out of the way application whitelisting does not equal perfect security. But neither do any of the other host-based security products that are competing to get on your control system servers and workstations. The bloated AV programs that do...

read more

Finding The Fox In The Hen House – Practical Tips

Let's face it, no matter how hard we try, or how elaborate the defense, sometimes the fox gets in the hen house (Or sometimes it just eats at McDonald's). When I was in college taking a computer systems design course my professor stated that computer technology is...

read more

Reexamining AV in the control system

Antivirus is one of those things that is a standard recommendation on almost any assessment you'll find, but maybe this is something we need to start rethinking.  We all know that for the most part the current AV model is an arms race that’s not very functional,...

read more

Safer, Faster, More Accurate Nessus Scanning

Last month I mentioned briefly that there are additional functions of Nessus credential checks beyond the policy compliance plugins we're using for Bandolier. The example in that blog post allowed you to "scan" all 65,535 ports safely and with minimal network traffic....

read more

A Few Ideas for a More Secure Future

Having been involved in this industry (control system security) for the last five years, a quick examination of what progress has been made in securing critical infrastructure leads me to the conclusion of "not very much". The industry if still plagued with the...

read more

Server Hardening – Getting Back To Basics

If you are responsible for defending networks and systems, you have many different tools at your disposal (unfortunately so do the attackers). There are many products on the market, from firewalls to intrusion detection/prevention systems, that aim to protect your...

read more

On The Increasing Intelligence of Field Devices

Recently I've attended a few training classes/sales pitches on some new field devices coming into the market, and a trend that I'm seeing is more and more of them are being built on x86 processors running embedded Windows operating systems.  A lot of things can...

read more

OPC UA Assessment Series

Digital Bond has just completed a security assessment report on the OPC Unified Architecture [UA] protocol, and we will be issuing a series of blog posts supported with SCADApedia content on the results. The assessment included both a paper security review of the...

read more

Digital Bond Turns Ten

Digital Bond opened our doors ten years ago today on Sept 28, 1998. Like most businesses, Digital Bond morphed over time. Gen 1 was a company designing a smart card solution to secure Internet brokerage transactions. We actually did pharming demonstrations with...

read more

The Risks of Security Non-Disclosure

As there has been a furor of emails on various lists regarding the recent Citect vulnerability Metasploit modules I thought a little discussion of the risk of Non-Disclosure might prove valuable. Disclosure and the development of such a modules do increase exposure....

read more

Vulnerability Scoring Metrics

Last week at PCSF there were a few issues that seemed to work their way into every presentation and discussion.  It seems that both vendors and asset owners are looking hard for the government or some other entity to provide vulnerabilities with some sort of risk...

read more

Just not getting it

Some companies, both vendors and asset owners, continue to give away the proverbial "baby with the bath water." Case in point (from an article at automation.com but which was a general press release): August 7, 2008 - Reykjavik Energy selected ABB to upgrade and...

read more

Arming Attackers?

Matt Franz in a recent post at his blog noted, in a very tongue in cheek manner, that some of Digital Bond's recent Scadapedia articles serve to "arm attackers". As security through obscurity does not exist it is important to understand that the dissemination of...

read more

Leveraging Portaledge for Security Metrics

Portaledge is a tool being developed by Digital Bond with Department of Energy funding that uses OSIsoft's PI server interfaces to aggregate security events from IT and control system data sources and then correlate them through PI's ACE correlation engine to detect...

read more

What Should Congress Do?

The combination of the lobbying topic in the last podcast, Joe Weiss talking about a blue ribbon panel to advise the next President, and chats with team members have made me think about this a lot over the last week - - and I still don't have an answer that I believe...

read more

Quickdraw Event Categories

Quickdraw is Digital Bond's DHS funded security project to develop an application that will generate security log events for PLC's and other legacy field devices with little or no security event logging capability.  While evaluting the technical requirements necessary...

read more

Understanding Risk in Control System Environments

Risk in our field is most often defined as risk = threat x vulnerability x consequence. And while it is a formula that is easy to define it is very difficult to give actual values to the variables. How do we quantitatively assign "real" values to the...

read more

NERC Responds To Congressional Pounding

NERC got hit hard by Congress in the May Congressional Subcommittee Hearings, most notably on providing false information to Congress in the past. Some members of the Subcommittee went as far as saying NERC needed to be replaced as the ERO. There had to be some action...

read more

A Legacy of Insecurity; the Control System Lifecycle

The classic definition of the cornerstones of information security are: Confidentiality, meaning that the data that you send or receive can not be read by others.Integrity, the data is valid, has not been tampered with and originates from the authenticate...

read more

SCADA Honeywall: Use Your Own PLC As The Target

I recently gave a presentation on the SCADA Honeynet Project. During the Question and Answer session, a number of attendees requested an implementation of the Honeynet that would allow them to use a spare physical PLC as the target. Evidently many asset owners had...

read more

Why do binary analysis when you have source?

We’re often asked why we would do binary analysis on software that we already have the source code to, and Rob Graham over at Errata’s blog had a great post on this a few days ago about that very topic. As Graham says the key difference between coders and hackers (or...

read more

Pacific Northwest News and Notes

Prior to the holiday I took a swing through the Pacific Northwest. Here are a few items: In Vancouver I stopped in on Wurldtech. Achilles continues to mature with lots of new configuration and reporting features, but what I found most interesting is the way Wurldtech...

read more

Vulnerabilities in Interpreted Languages

Vulnerabilities were announced in Ruby during the last week. Details are still limited, but they’re starting to seep out as people start analyzing the patches/source tree. These vulnerabilities, and others like it in Python/Perl/etc are interesting for a lot of...

read more

Bandolier and NERC CIP

We’ve talked occasionally about using the Bandolier audit templates to help with various standards compliance efforts. There is now a SCADApedia article that more formally describes how and where Bandolier links to the NERC CIP requirements. Earlier this week I...

read more

Race-To-Zero Virus Contest

Defcon, for those who don't know, is the world's largest and most famous hacking conference. This year an unofficial contest is being held at Defcon and it is receiving negative feedback from some of the anti-virus (AV) vendors. The goal of the Race-To-Zero contest is...

read more

Early Server Core Security Patch Statistics

Previously we recorded a podcast on the minimal install / small attack surface install of Windows Server 2008 called Server Core. One benefit of a smaller attack surface should be fewer security patches. We made some estimates on the reduced patching if a Server Core...

read more

Bandolier Update: First Set of Audit Templates Revealed

We have been working feverishly on Bandolier for several months now and have blogged about some of the issues and progress along the way. Notably absent, however, has been discussion about which applications we have assessed and which respective audit files are under...

read more

Quickdraw – New DHS Funded Research Project

I'm pleased to announce we have begun work on another research project. This one is funded by the Department of Homeland Security, Science and Technology Directorate. The project is the PLC Passive Security Event Log Generator, which we will be calling Quickdraw....

read more

Covert Channels and Firewall Egress Rules

If the "holy grail" for an hacker is to execute a vulnerability that allows for the installation of a payload (rootkit) that provides control of a remote system, how do defenders prevent this? Experience has shown that...

read more

Thoughts on Congressional Hearings

After a few days of letting the Congressional Hearings on security of electric sector control systems sink in here are the three items I found most interesting and important. 1. The fact that NERC previously provided false information to Congress on Aurora mitigation...

read more

Extrusion Detection to Detect Attacks

We have written quite a bit about intrusion detection and developed SCADA signatures to detect attacks on the SCADA or DCS IP networks and associated DMZ's, but let me introduce another buzzword to the community: extrusion detection. The idea behind extrusion...

read more

Control Systems Security Standards Efforts ROI

I've been involved to varying degrees with security standards efforts for way too long now - - almost twenty years. Most recently with the ISA 99 Part 4 effort. For a while I was actively involved in that effort in support of a contract with Wurldtech. When Bryan...

read more

Thoughts on the “7 Dirty Secrets of the Security Industry”

Joshua Corman of IBM/ISS gave a presentation at Interop Las Vegas yesterday titled “Unsafe at any speed: 7 Dirty Secrets of the Security Industry”. Here’s the Network World report. The title alone is interesting – making a reference to automobile safety – especially...

read more

Phoenix Contact Buys Innominate

The field security appliance market just got smaller - - or larger. Innominate was one of the first companies to develop a firewall for the plant floor or SCADA field sites. We have covered them in the blog over the years. Innominate announced at Hannover Messe that...

read more

Security and Reliability

Security and reliability are two terms used quite often in our industry. Though I have been in the control systems realm a short time, it appears that many people view the two subjects as opposing forces. I believe that is most cases security should be considered an...

read more

Automatic Patch-Based Exploit Generation

Reversing patches to create exploits is nothing new, and it tends to occupy the time of a lot of security researchers around the 2nd Tuesday of every month, but an interesting research paper was published recently from a few graduate students at CMU, Berkeley, and...

read more

Shameless Marketing FUD and Hype

I'm sure many of you have been spammed by an email from TDI about a "NERC CIP Cyber Asset Alert". I personally received three alert emails plus a blog spam. We get a lot of this type of material, but this one topped anything we have received lately in pure FUD and...

read more

BSI IT Grundshutz

The ISA99 WG4 was discussing a security methodology called BSI IT grundschutz that was new to me. Hans Daniel provided a very concise and useful summary that he kindly allowed us to post on the blog. UPDATE: A link to the English version of IT grundshutz courtesy of...

read more

Bandolier Update: The Real World

When I first got started with Bandolier, I thought the bulk of the value would be in the security checks of the control system application itself. Getting to this information involves digging into how the app works, identifying the most secure configuration, and...

read more

Portaledge (PI SCADA SIEM)

Our Dept. of Energy funded research project will result in a number of different tools for Digital Bond site subscribers. We have blogged on Bandolier, the development of control system security audit templates for Nessus and other vulnerability scanners. Now let me...

read more

Second Annual IFIP WG 11.10 International Conference on CIP

The conference was organized by Dr. Mauricio Papa, Assistant Professor of Computer Science at the University of Tulsa, Dr. Sujeet Shenoi, F.P. Walter Professor of Computer Science at the University of Tulsa, and Eric Goetz, Associate Director for Research at I3P, and...

read more

Is It Worth It?

In last week's Friday News and Notes we mention a story on access and management of PLC's via Blackberry. This relates to one of the frequent and interesting discussions we have with asset owners when they are considering exposing their control system in new ways....

read more

Different

There still are a tremendous amount of wasted cycles in the community discussing and arguing that control system security is different than IT security. So what? Who cares? Isn't almost everything different? Water (canal) SCADA is different than pipeline SCADA is...

read more

Lack of Imagination and Attack Progression

I was a little late catching it, but Richard Bejtlich made a post titled “First They Came for Bandwidth...” over on his TaoSecurity blog last week that is worth reading. He argues that one of the problems with being in a defensive position with regard to security is a...

read more

Bandolier Update: Introduction to Compliance Checks

Dale posted an introduction to Bandolier a couple of weeks ago. I am increasingly excited about the value of this project. We are working with asset owners and vendors to identify a hardened configuration for twenty control system applications. We are then developing...

read more

Virtualization in the SCADA World

A few years back, the traditional IT world was debating the merits of virtualization. There were concerns about performance, security, vendor support, and a host of other issues. Fast-forward to today, however, and you’ll find virtual machines in use in nearly every...

read more

UPCOMING EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host. Hopefully some of my Russian followers will be there.

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.