2010 Articles

Getting Beyond Passwords

Jason is spot on in his last post on default and easily guessed passwords. Extending Jason's rant a bit here . . . passwords don't work. This isn't news; we all live with the problem and have our own work around because humans can't remember large numbers of...

read more

Will IEC Save ISA99?

ISA99 is one of the oldest and prolific control system security standards groups. They published the first quality technical reports on the topic, and have an ambitious 14 document work plan depicted at the bottom of the post. The working groups are gaining members...

read more

Senate Hearing Notes

Yesterday the Senate Homeland Security and Government Affairs Committee held a hearing on Securing The Critical Infrastructure in the Age of Stuxnet. There were four panelists and here were my notes: Sean McGurk - DHS Acting Director, National Cybersecurity and...

read more

The Automation Press (or Press Release)

I wrote the blog below last weekend and didn't post it because maybe we were suppose to know the article was a press release even though it looked like an "article". Today I received the same article in an Automation World News Insights email newsletter. This is...

read more

Security Takes People

As the year starts to wind down we've been pleasantly surprised at how much progress many owner/operators have made in their security posture. The plants and SCADA systems that have made the most progress have devoted manpower to security. They have people...

read more

Security Assurance Levels – Dream or Possible Reality?

Asset owners want DCS and SCADA security to be at least straightforward and preferably easy, especially when safety and security guys get together. Safety systems have a Safety Integrity Levels (SIL) that specifies the expected dangerous failure rate. So if a system...

read more

Vendor Vulnerability Handling Dry Run

Almost without fail, vendors mishandle their first contact with a security researcher who has found a vulnerability in their product. This problem is not unique to control system vendors, and there are many tales of mishandling including the well documented Core...

read more

Researchers and Disclosure

The change in terms from "responsible" disclosure to "coordinated" disclosure is welcome and wise. The various parties involved, vendor, user, researcher, CERT, will rarely agree on what is "responsible". Maybe there is some agreement at the edges, but determining...

read more

What You Should Know About SHODAN and SCADA

In case you missed it, ICS-CERT issued an advisory about using SHODAN for identifying SCADA components connected to the Internet. The advisory covers the issues and the IT news outlets are picking up the story as well. Rather than echo that information or complain...

read more

Why Will HSIN Work?

The concept of information sharing among a community of vetted users is appealing - - and it has been tried numerous times. Back in the '90s when InfraGard started membership grew quickly at the promise of getting threat and attack information from the US Government....

read more

WIB Vendor Security Certification Process

My previous blog on Version 2 of the WIB Security Requirement for Vendors reads a bit like a security assessment report. While it highlights some positives, most of the details are on the deficiencies. To be clear, it is one of the better documents in this space and...

read more

ICS-CERT: Stuxnet Lessons Learned

I was tough on ICS-CERT's performance on Stuxnet in an earlier post. Now ICS-CERT is reaching out to a number of people in the control system community, including Digital Bond, to get some candid feedback on what they need to do differently or better. There is likely...

read more

WIB Security Requirements for Vendors – Take Two

Back in April we reviewed Version 1 of the WIB/Wurldtech/Shell Process Control Domain - Security Requirements for Vendors. While it was a useful guideline document, it had major problems that needed to be solved before it could be used for a vendor certification...

read more

Langner Focuses on PLC Impact of Stuxnet

Ralph has an open letter to Symantec up on his site. While I've been known to point out a failure from time to time in this blog, I think in this case Ralph is unnecessarily rough on Symantec who has done fantastic work on Stuxnet. However if you ignore the "You fail...

read more

Walt Boyes Analysis / Smack Down of ISA 100

If you have been thinking ISA 100 is the future wireless standard for control systems, you must read Walt Boyes analysis that the battle is over and Wireless HART has won. The tone and tenor of presentations I have been hearing for years is that ISA 100 is ready for...

read more

Emerson Delta V Team Steps Back In Time

I learned via @jimcahill of Bob Huba's presentation on a new smart firewall offering at the Emerson Delta V Global User Exchange and was eager to learn more. An article on ControlGlobal has limited details on it, but more interesting was the step back in time by...

read more

What Regulation Would Help?

Jason touched on the growing frustration with NERC CIP, and the realization that in many ways the CIP mandated compliance focus is actually impeding security progress. Joe Weiss has led the charge that CIP should be replaced with NIST SP800-53, but this comes as the...

read more

Symantec Posts Most Detailed and Best Stuxnet Analysis To Date

Symantec posted yesterday the definitive analysis of Stuxnet to date. It's long, detailed, easily understood and overall a fantastic piece of work. Evidently they were holding this detail for a conference on the 29th and even more detail will be available in a white...

read more

Stuxnet – Big Picture

One more Stuxnet post before we move on. A few different issues and thoughts to cover so I'll number them. 1. ICS-CERT Failed The Biggest Test Yet The community expected ICS-CERT to lead not follow far behind in informing us about control system security...

read more

Stuxnet Target Theory

Ralph Langner has posted even more technical data on Stuxnet, breaking down the technical info so it can be more easily understood. For example, "if the return from FC1874 is 'DEADF007", original code is skipped". He also theorizes the target is the Iranian Bushehr...

read more

Stuxnet – Fingerprinting A Specific Target

This is going to be a Stuxnet week with more information and some larger issues, opinions and questions to follow. How did Ralph Langner and his team determine Stuxnet was targeted at a specific target and process? Well first of all it helps a great deal to have...

read more

Stuxnet – The Siemens Affect

You can’t wrap fire in paper. Once the Stuxnet malware was available, it was only a matter of time before someone dug into the code and figured out what it did. Ralph Langner and his team are the best I know on the Siemens’ gear and protocol. It was fascinating to get...

read more

Perfection – Part II

People want a certain and definite solution to a problem, including security. Take these seven steps and you will be secure. Run this tool and you will find all vulns. Buy a product with this certification and you will not be compromised. Unfortunately security...

read more

Waterfall and One Way Security

A small number of vendors are promoting unidirectional network security devices, most notably Waterfall Security Solutions from Israel. [FD: Waterfall has advertised on digitalbond.com] To their credit Waterfall has doggedly pursued the control system security space...

read more

Late Summer Reading: NISTIR 7628

How many of you have downloaded NISTIR 7628: Smart Grid Cyber Security Strategy and Requirements, saw it was 305 pages and put it aside? Maybe you even waded into the first ten to twenty pages and read a lot of general statements and gave up. Well if you have some...

read more

We Will Never Be Perfect

Some of the post Stuxnet discussion, and even much before it, has the premise that we need to improve security so this type of attack can never be successful. That if we just all do the right things control systems will be impenetrable. When we see unpatched systems,...

read more

Legislative Outlook for Control System Security Registration

Patrick Coyle writes the Chemical Facility Security News blog and tweets @pjcoyle. His blog is my go to resource for all things chemical security, and Patrick also does the hard work of tracking all of the control system security legislation. Patrick was kind enough...

read more

Siemens Roller Coaster Response to Stuxnet

The Siemens response to Stuxnet has been like a roller coaster. It started diving low with limited information and bit of blame shifting as most organizations facing a vulnerability for the first time do. [Siemens is huge and obviously other parts of Siemens are well...

read more

What Do VxWorks Vulns Mean?

HD Moore recently published a blog entry highlighting some serious vulnerabilities in VxWorks - - an operating system used by a number of field devices in SCADA and DCS. What does and doesn't this mean? This has little or no impact on the security of control system...

read more

How Should We Treat Cyber Incidents

Joe Weiss has been been conflating Cyber Incidents with Cyber Security Incidents for a while now, primarily by leaning on the NIST FIPS-200 definition of an Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or...

read more

Dept of Energy Peer Review

Last week I attended, presented and tweeted at the Dept of Energy Cybersecurity For Energy Delivery Systems Peer Review. The idea is DoE funds all these research projects, and they would like a group of owner operators and other industry guru's to help determine if...

read more

Trojan Targeting Siemens and APT Thoughts

Pay attention to the P in Advanced Persistent Threat [APT]. Most of the attention paid to the trojan with a payload targeting Siemens control system applications has been on the Advanced nature of this malware. And that attention is warranted because there has not...

read more

Ex-FERC Chair Kelliher with Interesting FERC/NERC Comments

Joseph Kelliher was the Chairman of FERC from July 2005 - January 2009 so he had a front row seat to the NERC ERO / FERC / Congress issues and enough time to get perspective from outside the FERC bubble. On April 28th he gave a speech at an Energy Bar Association, and...

read more

Perfect Citizen

A few thoughts on the Perfect Citizen project by NSA. First, it is unclear what Perfect Citizen is. The news reports said the program would places sensors in the critical infrastructure to detect cyber attacks. NSA says "Perfect Citizen is purely a...

read more

Recovery

A common fault in control system security programs is in recovery of cyber assets. The redundancy gives a false sense of security, and the questions "can you rebuilt this server" or "when was the last time you rebuilt this server" often go back to the vendor initial...

read more

Economist Article on Cyberwar

The Economist Magazine has a 2744-word cover article on "Cyberwar". Like most articles in this publication it is balanced and presents the issues well. They have both Richard Clarke with his alarms and Bruce Schneier calling scaremongering. There is nothing that...

read more

Emergency Remote Access Clarification / CIP

NERC has just issued the first Clarification Application Note [CAN] related to the CIP standards. The CAN process should be very helpful for owner/operators, vendors and auditors by removing some of the interpretation on what the standards mean and require. That said,...

read more

The CIP Effect Curve

Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on...

read more

A New Competitor? DHS?

Matt Olney from Sourcefire has a lengthy editorial on the Lieberman-Collins Protecting Cyberspace As A National Asset Act. I haven't read the 197 page bill cover-to-cover, but did glance at the sections that Matt highlighted in his editorial. What was a bit jarring...

read more

ISASecure: Docs on Testing Tool and Lab Accreditation

ISA's ISASecure has been working on an Embedded Device Security Assurance certification. We have previously reviewed, see links at the bottom of the post, the Functional Security Assessment and Software Development Security Assessment documents that represented two...

read more

NERC High Impact Low Frequency Report

If you don't have the time to read a 120 page report, take a quick look at the 19 report overview slides. A true, directed cyber or blended attack is what makes risk management for control system cyber security so difficult. Talk to an moderately skilled hacker with...

read more

A Peek Into A Control System App Assessment

We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications. Recently Daniel spent a couple of days black box testing a widely used control system application...

read more

Smart Grid Expectation Problem

We could be looking at highly successful Smart Grid program results that are viewed as failures because of improperly set expectations. Let me explain. After Distributech in March, I blogged some thoughts on where Smart Grid stood and what the future might bring. It...

read more

Cellular Modem Use Without Risk

Loyal blog readers know we have been talking about and tracking the increased use of cellular modems in SCADA systems. These are often accessible from the Internet, almost always accessible by other users with service from the same cellular company, and so far always...

read more

Why Bother With Aircraft Systems?

That was the question Ralph Langner asked in a comment on a Friday News and Notes item, and then he and Michael Toecker had an interesting back and forth. Here is my two part answer. 1. Because when you have an IP network, a small segmented island can intentionally or...

read more

Code signing, misconceptions and realities

Code signing is a security feature that has been around for quite some time, and has been proven in many other areas, but is uncommon to find it in any control system component and very rare to find in control devices where firmware uploading is an important...

read more

Speak Up!

I’m about to touch the 3rd rail of control system security - - Joe Weiss. I can’t tell how many times at industry events, dinners, conference calls or any other gathering in the community people, a portion of the conversation turns to griping about Joe. The catalyst...

read more

Education Question and One Answer

John Saunders with the National Defense University has been one of the most active participants in the control system security education and workforce development area. After seeing him again working on these issues at ICSJWG I wanted to get his view on the best way...

read more

Tofino OPC Firewall in Triconex Module

Byres Security and Invensys have announced a Tofino Firewall module for the Triconex Safety System. It looks an industrial device and has similar environmental specs, -40 to 70C, Class I Div 2 and Zone 2 approved. What is new about this product is OPC application...

read more

UPCOMING EVENTS

S4x24 ... 4 - 7 March 2024 in Miami South Beach

Save the date. For the biggest and most future focused on ICS Security Event.