2010 Articles

ISASecure Embedded Device Security Assurance Certification

Last week the ISCI, after quite a long delay, published draft requirements documents for 2 of the 3 legs of the Embedded Device Security Assurance [EDSA] certification. The Software Development Security Assessment and Functional Security Assessment documents are now...

read more

Portaledge IDS integration

In integrating IDS events into Portalegde one question becomes paramount. Namely: "Which events do we include?" As Portaledge will perform correlation and aggregation on all of the events "fed" to it, choosing a set of events that provides critical network...

read more

Inherently Safer Technology / MTTR II Analogy

I've really been enjoying PJ Coyle's Chemical Facility Security News blog the last few months. An entry this week on the Chemical Security Board's Inherently Safer Technology tied into one of my entries earlier this week on MTTR. Here are the key paragraphs to the...

read more

MTTR: Mean Time To Recovery

The anti-virus update problem provides yet another education and awareness opportunity. Maybe you were skilled or lucky enough that this did not affect your control system at all, or only a portion of the system because of staggered av updates. But if it did, how long...

read more

FISMA / SP800-53 is not Utopia?

The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that...

read more

Real World Example of Why to Stagger AV Updates

Updating anti-virus signatures is important, and we have yet to see an owner/operator consistently and effectively apply the updates manually. So most are now pushing the signature updates out on a periodic and automated basis. [Note the automation is typically...

read more

Good Data / Bad Analysis

The community is very hungry for threat data. So little is available than we crave and devour any bit. Last year saw the resurrection of the BCIT incident database, or some facsimile of it, into the Repository of Industrial Security Incidents [RISI]. This is one of...

read more

Military’s right to return cyber attacks

Yesterday, the Director of the NSA, Lt. Gen. Keith Alexander, now the Presidential nominee to head the new Cyber Command, stated that we should be allowed to counter cyber attacks if we can determine the attacker. Alexander mentioned the US has already responded to...

read more

Control System IT

[I want to try to coin a new term that could be very useful: Control System IT. The discussions on “Operations vs. IT” or “control systems are different than business networks and applications” are legion. And like most long running arguments there is some truth in...

read more

Odd NERC Advisory

NERC issued an advisory on Rockwell Automation PLC/PAC vulnerabilities. It is odd in many ways. 1. There is no new information. This is all old news. 2. So many field devices used in this electric sector have these same or equally important security deficiencies. Are...

read more

Control Systems Security: an Ironic Oxymoron?

After 6 years considering security for control systems I have came to the conclusion that there is very little security in control systems. Sure we can take measures to tighten up the security of the PCs and devices that compose the system, but given the number of...

read more

Distributech Thoughts and Items

We do a lot more work in the generation and transmission side of the electric sector so Distributech is always a welcome show to learn more about the distribution side. And of course this year Smart Grid dominated the show. One very clear positive result from the NERC...

read more

Portaledge and Log Data

As I have started the code for using Portaledge to meet NERC CIP requirements some other security benefits from this process have become apparent. These benefits help to improve security by; creating data redundancy, and by leveraging the log data through the...

read more

Implementing CIP Security Controls

I have always admired the comments of Michael Toecker on our site and elsewhere, and offered him the opportunity to write an occasional blog entry here when he has something to say. Here is the first of hopefully many from Michael. Many asset owners in the energy...

read more

Portaledge: Moving Forward

Charles and I have generated a set of functions, scripts and documents for producing normalized Security Event Monitor (SEM) output and integrating the output with SEMs. Our target for this release was Tenable's Security Center but the concepts and output will be...

read more

Possibilities of the SheevaPlug

The SheevaPlug 3.0 is a full PC in a tiny package. Featuring a 2 ghz Armada cpu, built in micro HD, usb, Wi-Fi, hi speed ethernet and blue tooth in an about 2"x3" "plug in" form (no bigger than a lot of laptop power supplies) the SheevaPlus takes up just an outlet and...

read more

Lifeboat Security

A few days ago a friend of mine shared out an old editorial about lifeboats, parodying the objections to civil defense programs in the early 60s, from the Harvard Crimson. People haven't changed much. The same type of arguments brought up time and time again when...

read more

The growing threat of smart phones

A new video out of Rutgers University  demonstrates remote control of a rootkit infected open source Linux based smart phone that allows the attackers to use the phone as a listening device without the user being aware that the phone is communicating. While not a new...

read more

Fuzzing, practical dumb fuzzing

We’ve had a lot of posts about fuzzing on the blog lately. We’ve looked at the latest technologies and techniques, we’ve talked about fuzzers, intelligent versus dumb, some of the tradeoffs involved with design choices, and in the future we’re going to talk some more...

read more

Software Security – The State of Things

It's RSA Conference time so companies have reports and studies to release. One that I actually found interesting is Veracode's State of Software Security. The data comes from assessment of "billions of lines of codes and thousands of applications." It provides some...

read more

Using Verizon Broadband For SCADA

Yesterday I blogged on the scan results, configuration issues and increasing use of Verizon, AT&T and other carriers' broadband services for SCADA. Today I'll address the question of whether these networks should be used in SCADA systems. Like most security...

read more

SCADA Devices on Verizon and Other Wireless Networks

I'll start with the stats: we found 1,420 Raven Airlink devices in a wireless class B network that any customer with a wireless card from the carrier could access. These are ruggedized devices with Ethernet and serial connectors used for sending monitoring and control...

read more

Don’t Try or Promise The Impossible

One of the rules we try to live by and inculcate with our clients is "don't try or promise the impossible". This is a simple and certainly not brilliant concept to avoid a path doomed to failure and frustration and wasted effort. An example of failing to follow this...

read more

CWE/SANS 2010 Top 25 Most Dangerous Programming Errors

This past Wednesday, SANS and CWE released their 2010 top 25 programming errors list. The list contains many errors that are present in control systems both developed recently or a few years back. For example, Daniel Peck of Digital Bond wrote a paper showing what can...

read more

Changing Life Cycle Expectations

I have had talks with a number of other vendors about how control system life cycles will have to change, and slowly are changing. For a long time it has been buy and install a SCADA or DCS, change it as little as possible for ten to twenty years, and then completely...

read more

Nuclear Industry Cyber Security Regulation 5.71

In January the Nuclear Regulatory Commission issued NRC 5.71 Cyber Security Program for Nuclear Facilities. It is interesting that the NRC took a very NIST SP800 approach specifically using the NIST documents high impact baseline as a starting point. We did not do an...

read more

Reading between the lines of VU#144233

I'm a week or two late on this, but I think that the community as a whole has paid far too little attention to the advisory released a few weeks ago by the folks at C4/CERT, and the response to them by Rockwell. Full disclosure, I have not personally verified these...

read more

Best Way to Fuzz Part 2

A few thoughts after the intelligent comments, additional info, sound and fury: Microsoft is in the very rare top tier of companies spending time and money on security. In gross $ and time probably number 1 and very high on a percentage of security to software...

read more

All your serial are belong to us!

Today's press release from an unnamed company (to protect the innocent of course) has driven me to zombify the tired "all you base" internet meme. In our ever growing drive to trade security for ease of use and convenience you can purchase micro devices...

read more

Observations from the McAfee “Crossfire” Report

Last week McAfee and CSIS released a report titled In the Crossfire: Critical Infrastructure in the Age of Cyber War. Honestly, I dismissed it at first as marketing hype and even took some shots at it on Twitter because of the lack of real data. But they are actually...

read more

Best Way to Fuzz?

There was an interesting discussion and information on what is the "best way from an ROI measure" to fuzz test at the CERT sponsored Vulnerablity Disclosure Workshop in DC this week. It led to some tweets back and forth between Digital Bond alumni Matt Franz and...

read more

747-8/-8F Models and Network Security

Earlier in the week I came across a very interesting article regarding control systems that we normally do not discuss but has a similar issue that we experience in other control system implementations. The FAA recently published a "special conditions" document within...

read more

Oil Companies and APT

There is an interesting story from the Christian Science Monitor regarding attacks on some US oil companies. According to the article, the attackers used the same techniques described at S4 2010 in the keynote speech on Advanced Persistent Threat (APT), given by Kris...

read more

3 Reasons You Should Be Using Credentialed Scanning

Scanning with credentials has opened a new frontier for security assessment. Here's an analogy: traditional vulnerability scanning is like a mechanic evaluating a car just by looking at the outside and listening to the motor run. It's useful but there is so much more...

read more

Juniper Networks Flaw

Late last week a story came out about Juniper Networks routers being susceptible to a remote reboot. Versions of JUNOS and JUNOSe prior to 10.X can be crashed by sending a single packet to an open port on the router. The reboot occurs when a packet with the TCP Header...

read more

Smart Phones as Threat Vectors

The newly appointed "Cyber Security Czar", Howard Schmidt recently noted that he considers smart phones and such devices one of the largest areas of concern for cyber security. Saying "What they've been attacking on the desktop they'll starting attacking in our mobile...

read more

Google, Adobe, Timely Info for APT Keynote

We selected Kris Harms from Mandiant to give next week's S4 Keynote on the topic of Advanced Persistent Threat [APT]. This week Google and Adobe announce investigations of some more serious than normal attacks. A couple of key excerpts from the Google blog: In...

read more

SCADA Enhancements for Snort

In mid-December we completed the Quickdraw project which creates security events for legacy PLC's that lack a security event logging capability. In the following weeks I will write a blog series on Quickdraw, but a lot of this work involves adding SCADA preprocessors...

read more

The New Year

Happy New Year to all our loyal blog readers with special thanks to those that contributed through the comments last year. I enter the year with a strong feeling of optimism for the control system community. There are not an irrefutable, or even compelling, set of...

read more

UPCOMING EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host. Hopefully some of my Russian followers will be there.

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.