In my last post I introduced Malcolm Gladwell's Capitalization of Talent concept and concluded that the capitalization rate of SCADA security talent in the control system community rate is low. Here are some reasons why in no particular order: Security 101 is dull -...

Almost everyone in the community, even the optimists like myself who have seen impressive progress by some vendors and owner / operators, bemoan the pace of improved security postures across the control system community. And we try to figure out why this is and how to...

There's a great write-up on building and maintaining a Windows tiered patching infrastructure over at Ars Technica today. It sets up like this: Windows updates have historically been a constant annoyance for IT staff. Manual updates were a huge pain, and, while the...

To a lot of you, this is post isn't going to tell you anything you don't already know, but for others I think it needs to be said again.  MAC and IP addresses are easily changeable and are useless for authentication. Far too often when we're on site we see...

Having completed my part of the Quickdraw project, my time at Digital Bond is winding to a halt. But I thought I'd just post a retrospective on some of the things I learned on the Quickdraw project. Because this post is a bit on the long side I have decided to split...

When stories about Internet based attacks on control systems, like the 60 Minutes story, appear on sites like Slashdot, most people question the need to attach the control network to  another network.  In my previous position at a National Laboratory, I have seen...

I wanted to wait to hear the reactions to the segment on 60 Minutes before commenting. If you missed it, see it here or read the transcript. Here are a few thoughts on the story. It is probably a net plus because 60 Minutes reaches an audience that might not be aware...

One of the reasons I went to ISA Expo in Houston last week was to try to get a fix on what ISA 99 was up to and whether it continued to matter. Historically, ISA 99 was one of the early movers in the control system security standards and guidelines space. Their first...

Someone needs to tell me where the downside is with products like CoreTrace Bouncer. I've tried to be skeptical of application whitelisting but the more I see, the more I like it. Recently I had the opportunity to see Bouncer demonstrated on a Yokogowa Centum DCS....

A few weeks back while discussing some planned Nessus updates and Bandolier, I said what matters is value and improved security for your control systems, not just running a scan. There are a variety of reasons why you might want to scan your control networks but...

After working on a few factory acceptance tests for SCADA and DCS implementations, I have some suggestions for the process as it relates to security, and particularly security configuration testing.. They can be roughly categorized as suggestions for the vendor, for...

I attended a half day workshop on Vulnerability Disclosure -- yes there is no permanent escape from this topic. But after taking some time off and listening again I may have had an epiphany. Let's go back to the beginning with IT vulns, why were vulnerability...

In a world of remotely exploitable vulnerabilities and inherently vulnerable protocols, permissions on a control system server may seem insignificant. With 20+ Bandolier security audit files under my belt, though, I have a different opinion. Think about all the...

Just a quick update on the happenings here at Blackhat.  The good news is that this year the quality of the presentations seems to have improved, or maybe I'be just gotten better at choosing interesting sessions. Most of the research that had a direct impact on...

Effective information sharing about vulnerabilities, security incidents and other security issues is a hard problem. Most owner/operators are reluctant to share anything that could make them look bad or worse, but these same asset owners see the benefit of receiving...

Long time and loyal blog readers know that Digital Bond and myself personally were early supporters of the Achilles test platform and protocol stack certification. In fact our vocal support even resulted in a contract to help create the Achilles Level 1 Certification...

We have another control system incident in the news that will surely fill up slidedecks for the next decade. News became public yesterday of an arrest of security guard involved in a compromise of the HVAC system, and likely the rest of the hospital network,  at...

We are pleased to announce the beta release of some Quickdraw software components today. Quickdraw is a Digital Bond research project funded by the US Department of Homeland Security (DHS). This beta release is the first three SCADA IDS preprocessors that were the...

We have been blogging about the benefits of virtualization in control systems. Asset owners have been reluctant to embrace virtualization until it was blessed by the vendor, and this is understandable. A few vendors have been working on virtualization support, and the...

The NERC CIP cyber security work in the electric sector has been fast and furious as deadlines approach, as have the comments on the value, or lack thereof, of this effort. I am very confident in the following two conclusions based on working with many of the asset...

Often times those involved in operating critical infrastructure are given a false sense of security when looking over the daily stream of vulnerability disclosures and patch information, as these feeds/lists seems to seldom contain anything specific about their...

Recently, two members of the European Commission, Viviane Reding and Meglena Kuneva, proposed that the European Union's (EU) consumer protection rules for physical products be extended to software.  This expansion of the consumer protection rules to include software...

This is a little deviation from our usual critical systems, but considering it is a tool that heavily influences whether a guilty person goes free or an innocent one goes to jail it seems critical to me.  In the State v. Chun case the defendant argued for analysis of...

George Will wrote an interesting column on folly of government pursuing rules and executive actions to achieve impossible goals. Here is key paragraph in the typical Will style: Gulliver's travels took him to the Academy of Lagado, where "professors contrive new rules...

Yes, you read the title correctly. There is a new and improved security driven version of Windows being distributed. The National Institute for Standards and Technology, the Defense Information Systems Agency and the Center for Internet Security consulted on this...

Some observations after going through the tedious process of creating and modifying Windows service policy checks for an upcoming Bandolier release... 1.) The value of the OS-level audit files is different than I first thought. I blogged about this last year after...

Portaledge is Digital Bond's control system security research project funded by the US Department of Energy. We recently issued the first release and are nearing the second, so this is a good time to discuss with practical examples, what Portaledge is, how it works,...

It’s been a little while since we've had a Quickdraw update, and I wanted to fill everyone in on how we're doing and the approach we're using. As we've described before we're basing the project on the snort 2.8.x tree, and we could do much of the processing and...

Many of us in the Control System community feel pretty secure in the belief that our critical networks are not directly connected to the internet, and as such are insulated from attack. Apparently (and as oft has been stated) this is not sufficient protection, if the...

Two weeks ago I was fortunate, along with about one hundred others, to be invited to an initial planning meeting of DHS's Industrial Control System Joint Working Group [ICSJWG]. Here are some thoughts after a few weeks to ponder what happened there. ICSJWG is going to...

NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all...

I'll start off by saying don't believe all the FUD that’s been going around, we all know how many members of the media area when they get hold of a story, especially one that can have a date in the future to speculate on. That said, there are definitely some...

An IM discussion with Jason Holcomb in regards to his recent post set my mind in motion. English philosopher/logician William Ockham postulated in the 14th century(quoting Wikipedia) "When multiple competing hypotheses are equal in other respects, the...

The disclosure debate is raging once again and its even seeing some discussion on the SCADA mailing lists.  This was stirred up by the No More Free Bugs "campaign" announced at Cansecwest by Miller, Sotirov, and Dai Zovi.  Accomplished guys and names that should at...

How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?". I wanted to point this one out for a couple of reasons. First, it's a decent high level treatment of the topic. Even though it starts out with the doomsday scenario, alternate viewpoints are included...

As Jason Holcomb noted on this blog a few weeks back, there is a growing interest in apply the practice of whitelisting to control systems. In whitelisting a set of known "good" applications is created and maintained, and only applications from that list are allowed...

There is a dangerous theme I'm hearing more and more from a variety of sources that every possible risk must be reduced immediately, right now. And if you are not doing this Mr. Asset Owner you are in security denial and being irresponsible. First this is not...

I've talked to a few people recently who have control system security responsibility but are on a very tight or non-existent budget. Some things, like the network taps that we discussed recently, do have significant cost but there are many basic security steps that...

Ralph Langner, who is on our top ten list, always has some interesting tools or information when we talk. Recently he showed me an application Langner Communications uses when having difficulty convincing asset owners they should worry about security. It is a simple...

It's always a pleasure to talk with Ralph Langner of Langner Communications at S4. He is a leader and independent control system security voice in Europe. Ralph has developed some interesting tools to demonstrate vulnerabilities and lack of security that I hope to...

As most of us know, yesterday hundreds of thousands of people converged to witness the swearing in of the 44th president of the United States, Barack Obama. My television was on in the background yesterday, and my radar couldn't help but pick up on some of the details...

Oracle released 41 security patches this week for a variety of their products. Ten of the patches were for the Oracle database - - that by the way is used in many SCADA and DCS servers. We have seen great progress with vendors testing and certifying Microsoft patches...

Based on the reviews from early adopters, the Bandolier security audit files exceeded many expectations in 2008, including my own. We have received some very encouraging feedback from vendors, asset owners, consultants, and even our own assessment teams. With each new...

Embedded device security is a topic that many will dismiss, in favor of more popular security concerns. I can understand this, to a certain extent, because mainstream press and information outlets often do not cover embedded security. They are focused on the more...

The gist of discussion on my earlier blog on the "Relative Security of the ARM vs. x86 architectures" can be summarized in two bullets. 1.  It is interesting that at least theoretically, a proper Harvard Architecture based chip might provide a better foundation...