2009 Articles

Why Security Talent Capitalization Rate is Low

In my last post I introduced Malcolm Gladwell's Capitalization of Talent concept and concluded that the capitalization rate of SCADA security talent in the control system community rate is low. Here are some reasons why in no particular order: Security 101 is dull -...

read more

Capitalization of SCADA Security Talent

Almost everyone in the community, even the optimists like myself who have seen impressive progress by some vendors and owner / operators, bemoan the pace of improved security postures across the control system community. And we try to figure out why this is and how to...

read more

Tiered Patching Infrastructure

There's a great write-up on building and maintaining a Windows tiered patching infrastructure over at Ars Technica today. It sets up like this: Windows updates have historically been a constant annoyance for IT staff. Manual updates were a huge pain, and, while the...

read more

What authentication isn’t

To a lot of you, this is post isn't going to tell you anything you don't already know, but for others I think it needs to be said again.  MAC and IP addresses are easily changeable and are useless for authentication. Far too often when we're on site we see...

read more

Quickdraw Retrospective

Having completed my part of the Quickdraw project, my time at Digital Bond is winding to a halt. But I thought I'd just post a retrospective on some of the things I learned on the Quickdraw project. Because this post is a bit on the long side I have decided to split...

read more

External Connections

When stories about Internet based attacks on control systems, like the 60 Minutes story, appear on sites like Slashdot, most people question the need to attach the control network to  another network.  In my previous position at a National Laboratory, I have seen...

read more

60 Minutes

I wanted to wait to hear the reactions to the segment on 60 Minutes before commenting. If you missed it, see it here or read the transcript. Here are a few thoughts on the story. It is probably a net plus because 60 Minutes reaches an audience that might not be aware...

read more

The Relevance of ISA 99

One of the reasons I went to ISA Expo in Houston last week was to try to get a fix on what ISA 99 was up to and whether it continued to matter. Historically, ISA 99 was one of the early movers in the control system security standards and guidelines space. Their first...

read more

Another Look at Application Whitelisting in Control Systems

Someone needs to tell me where the downside is with products like CoreTrace Bouncer. I've tried to be skeptical of application whitelisting but the more I see, the more I like it. Recently I had the opportunity to see Bouncer demonstrated on a Yokogowa Centum DCS....

read more

Control System Scanning with Nessus

A few weeks back while discussing some planned Nessus updates and Bandolier, I said what matters is value and improved security for your control systems, not just running a scan. There are a variety of reasons why you might want to scan your control networks but...

read more

Security Configuration and Acceptance Testing

After working on a few factory acceptance tests for SCADA and DCS implementations, I have some suggestions for the process as it relates to security, and particularly security configuration testing.. They can be roughly categorized as suggestions for the vendor, for...

read more

Vulnerability Disclosure – Reboot

I attended a half day workshop on Vulnerability Disclosure -- yes there is no permanent escape from this topic. But after taking some time off and listening again I may have had an epiphany. Let's go back to the beginning with IT vulns, why were vulnerability...

read more

Permissions Advice for Control System Applications

In a world of remotely exploitable vulnerabilities and inherently vulnerable protocols, permissions on a control system server may seem insignificant. With 20+ Bandolier security audit files under my belt, though, I have a different opinion. Think about all the...

read more

EnergySec Tries A New Type of Information Sharing

Effective information sharing about vulnerabilities, security incidents and other security issues is a hard problem. Most owner/operators are reluctant to share anything that could make them look bad or worse, but these same asset owners see the benefit of receiving...

read more

Falling Off The Wurldtech Bandwagon

Long time and loyal blog readers know that Digital Bond and myself personally were early supporters of the Achilles test platform and protocol stack certification. In fact our vocal support even resulted in a contract to help create the Achilles Level 1 Certification...

read more

Control System (HVAC) incident at Carrel Clinic

We have another control system incident in the news that will surely fill up slidedecks for the next decade. News became public yesterday of an arrest of security guard involved in a compromise of the HVAC system, and likely the rest of the hospital network,  at...

read more

Beta Release: SCADA IDS Preprocessors

We are pleased to announce the beta release of some Quickdraw software components today. Quickdraw is a Digital Bond research project funded by the US Department of Homeland Security (DHS). This beta release is the first three SCADA IDS preprocessors that were the...

read more

Virtualization a Reality in Control Systems

We have been blogging about the benefits of virtualization in control systems. Asset owners have been reluctant to embrace virtualization until it was blessed by the vendor, and this is understandable. A few vendors have been working on virtualization support, and the...

read more

NERC CIP, Low Hanging Fruit and the Weak Link

The NERC CIP cyber security work in the electric sector has been fast and furious as deadlines approach, as have the comments on the value, or lack thereof, of this effort. I am very confident in the following two conclusions based on working with many of the asset...

read more

How unique is the code in critical systems?

Often times those involved in operating critical infrastructure are given a false sense of security when looking over the daily stream of vulnerability disclosures and patch information, as these feeds/lists seems to seldom contain anything specific about their...

read more

Developer Liability

Recently, two members of the European Commission, Viviane Reding and Meglena Kuneva, proposed that the European Union's (EU) consumer protection rules for physical products be extended to software.  This expansion of the consumer protection rules to include software...

read more

Code Quality in Critical Systems

This is a little deviation from our usual critical systems, but considering it is a tool that heavily influences whether a guilty person goes free or an innocent one goes to jail it seems critical to me.  In the State v. Chun case the defendant argued for analysis of...

read more

Legislative Utopia

George Will wrote an interesting column on folly of government pursuing rules and executive actions to achieve impossible goals. Here is key paragraph in the typical Will style: Gulliver's travels took him to the Academy of Lagado, where "professors contrive new rules...

read more

Secure Windows

Yes, you read the title correctly. There is a new and improved security driven version of Windows being distributed. The National Institute for Standards and Technology, the Defense Information Systems Agency and the Center for Internet Security consulted on this...

read more

Optimal Security Configuration

Some observations after going through the tedious process of creating and modifying Windows service policy checks for an upcoming Bandolier release... 1.) The value of the OS-level audit files is different than I first thought. I blogged about this last year after...

read more

Portaledge: Detecting Cyber Attacks

Portaledge is Digital Bond's control system security research project funded by the US Department of Energy. We recently issued the first release and are nearing the second, so this is a good time to discuss with practical examples, what Portaledge is, how it works,...

read more

Quickdraw Update: Preprocessors and Detection Plugins

It’s been a little while since we've had a Quickdraw update, and I wanted to fill everyone in on how we're doing and the approach we're using. As we've described before we're basing the project on the snort 2.8.x tree, and we could do much of the processing and...

read more

Malware, Viruses, and Attackers hopping networks

Many of us in the Control System community feel pretty secure in the belief that our critical networks are not directly connected to the internet, and as such are insulated from attack. Apparently (and as oft has been stated) this is not sufficient protection, if the...

read more

Thoughts on DHS ICSJWG

Two weeks ago I was fortunate, along with about one hundred others, to be invited to an initial planning meeting of DHS's Industrial Control System Joint Working Group [ICSJWG]. Here are some thoughts after a few weeks to ponder what happened there. ICSJWG is going to...

read more

Assante Throws Down the Gauntlet on CIP-002

NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all...

read more

Conficker beFUDdlement

I'll start off by saying don't believe all the FUD that’s been going around, we all know how many members of the media area when they get hold of a story, especially one that can have a date in the future to speculate on. That said, there are definitely some...

read more

Applying Ockham’s Razor to Control Security

An IM discussion with Jason Holcomb in regards to his recent post set my mind in motion. English philosopher/logician William Ockham postulated in the 14th century(quoting Wikipedia) "When multiple competing hypotheses are equal in other respects, the...

read more

No More Free Bugs?

The disclosure debate is raging once again and its even seeing some discussion on the SCADA mailing lists.  This was stirred up by the No More Free Bugs "campaign" announced at Cansecwest by Miller, Sotirov, and Dai Zovi.  Accomplished guys and names that should at...

read more

Does More Technology = Inherently More Secure?

How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?". I wanted to point this one out for a couple of reasons. First, it's a decent high level treatment of the topic. Even though it starts out with the doomsday scenario, alternate viewpoints are included...

read more

Whitelisting in Control Systems

As Jason Holcomb noted on this blog a few weeks back, there is a growing interest in apply the practice of whitelisting to control systems. In whitelisting a set of known "good" applications is created and maintained, and only applications from that list are allowed...

read more

Risk Management – or – Not All Risks Are Equal

There is a dangerous theme I'm hearing more and more from a variety of sources that every possible risk must be reduced immediately, right now. And if you are not doing this Mr. Asset Owner you are in security denial and being irresponsible. First this is not...

read more

No Budget Security Ideas

I've talked to a few people recently who have control system security responsibility but are on a very tight or non-existent budget. Some things, like the network taps that we discussed recently, do have significant cost but there are many basic security steps that...

read more

Langner Awareness Demonstration Tool

Ralph Langner, who is on our top ten list, always has some interesting tools or information when we talk. Recently he showed me an application Langner Communications uses when having difficulty convincing asset owners they should worry about security. It is a simple...

read more

0Days and iDays

It's always a pleasure to talk with Ralph Langner of Langner Communications at S4. He is a leader and independent control system security voice in Europe. Ralph has developed some interesting tools to demonstrate vulnerabilities and lack of security that I hope to...

read more

Inauguration Security: Lessons Learned

As most of us know, yesterday hundreds of thousands of people converged to witness the swearing in of the 44th president of the United States, Barack Obama. My television was on in the background yesterday, and my radar couldn't help but pick up on some of the details...

read more

Patching Beyond Microsoft

Oracle released 41 security patches this week for a variety of their products. Ten of the patches were for the Oracle database - - that by the way is used in many SCADA and DCS servers. We have seen great progress with vendors testing and certifying Microsoft patches...

read more

Are the Bandolier Security Audit Files Making the Grade?

Based on the reviews from early adopters, the Bandolier security audit files exceeded many expectations in 2008, including my own. We have received some very encouraging feedback from vendors, asset owners, consultants, and even our own assessment teams. With each new...

read more

Latest Research On Embedded System Security

Embedded device security is a topic that many will dismiss, in favor of more popular security concerns. I can understand this, to a certain extent, because mainstream press and information outlets often do not cover embedded security. They are focused on the more...

read more

UPCOMING EVENTS

 

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host.

Sept 12 in Phoenix

I spoke at a private company event.

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.