Last week the ISCI, after quite a long delay, published draft requirements documents for 2 of the 3 legs of the Embedded Device Security Assurance [EDSA] certification. The Software Development Security Assessment and Functional Security Assessment documents are now...

In integrating IDS events into Portalegde one question becomes paramount. Namely: "Which events do we include?" As Portaledge will perform correlation and aggregation on all of the events "fed" to it, choosing a set of events that provides critical network...

I've really been enjoying PJ Coyle's Chemical Facility Security News blog the last few months. An entry this week on the Chemical Security Board's Inherently Safer Technology tied into one of my entries earlier this week on MTTR. Here are the key paragraphs to the...

The anti-virus update problem provides yet another education and awareness opportunity. Maybe you were skilled or lucky enough that this did not affect your control system at all, or only a portion of the system because of staggered av updates. But if it did, how long...

The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that...

Updating anti-virus signatures is important, and we have yet to see an owner/operator consistently and effectively apply the updates manually. So most are now pushing the signature updates out on a periodic and automated basis. [Note the automation is typically...

If a control system is hacked and there are no mechanisms in place to forensically trace the attack, you have no idea how the attack occurred and no clues on what to do to close/remediate the attack pathway. This lack of forensics leaves the system open and vulnerable...

The community is very hungry for threat data. So little is available than we crave and devour any bit. Last year saw the resurrection of the BCIT incident database, or some facsimile of it, into the Repository of Industrial Security Incidents [RISI]. This is one of...

Charles and I are currently working on adding modules into the Portaledge code base that help asset owners and operators to meet NERC CIP logging requirements (for more specifics on Portaledge and NERC CIP requirements see this previous blog post and the...

Yesterday, the Director of the NSA, Lt. Gen. Keith Alexander, now the Presidential nominee to head the new Cyber Command, stated that we should be allowed to counter cyber attacks if we can determine the attacker. Alexander mentioned the US has already responded to...

[I want to try to coin a new term that could be very useful: Control System IT. The discussions on “Operations vs. IT” or “control systems are different than business networks and applications” are legion. And like most long running arguments there is some truth in...

NERC issued an advisory on Rockwell Automation PLC/PAC vulnerabilities. It is odd in many ways. 1. There is no new information. This is all old news. 2. So many field devices used in this electric sector have these same or equally important security deficiencies. Are...

After reading the announcements and hearing the presentation from Wurldtech and Shell at ICSJWG, I was eager to read the WIB document Process Control Domain Security Requirements for Vendors. My understanding going in was this document was going to provide Vendors...

After 6 years considering security for control systems I have came to the conclusion that there is very little security in control systems. Sure we can take measures to tighten up the security of the PCs and devices that compose the system, but given the number of...

We do a lot more work in the generation and transmission side of the electric sector so Distributech is always a welcome show to learn more about the distribution side. And of course this year Smart Grid dominated the show. One very clear positive result from the NERC...

As I have started the code for using Portaledge to meet NERC CIP requirements some other security benefits from this process have become apparent. These benefits help to improve security by; creating data redundancy, and by leveraging the log data through the...

I have always admired the comments of Michael Toecker on our site and elsewhere, and offered him the opportunity to write an occasional blog entry here when he has something to say. Here is the first of hopefully many from Michael. Many asset owners in the energy...

Charles and I have generated a set of functions, scripts and documents for producing normalized Security Event Monitor (SEM) output and integrating the output with SEMs. Our target for this release was Tenable's Security Center but the concepts and output will be...

The SheevaPlug 3.0 is a full PC in a tiny package. Featuring a 2 ghz Armada cpu, built in micro HD, usb, Wi-Fi, hi speed ethernet and blue tooth in an about 2"x3" "plug in" form (no bigger than a lot of laptop power supplies) the SheevaPlus takes up just an outlet and...

A few days ago a friend of mine shared out an old editorial about lifeboats, parodying the objections to civil defense programs in the early 60s, from the Harvard Crimson. People haven't changed much. The same type of arguments brought up time and time again when...

As I read the twelve initiatives of the CNCI, I was looking for its strong and weak points. However, I couldn't help but think about the level of effort that was required to produce these nice words on these general thoughts. Is this document and the program around...

A new video out of Rutgers University  demonstrates remote control of a rootkit infected open source Linux based smart phone that allows the attackers to use the phone as a listening device without the user being aware that the phone is communicating. While not a new...

We’ve had a lot of posts about fuzzing on the blog lately. We’ve looked at the latest technologies and techniques, we’ve talked about fuzzers, intelligent versus dumb, some of the tradeoffs involved with design choices, and in the future we’re going to talk some more...

It's RSA Conference time so companies have reports and studies to release. One that I actually found interesting is Veracode's State of Software Security. The data comes from assessment of "billions of lines of codes and thousands of applications." It provides some...

Yesterday I blogged on the scan results, configuration issues and increasing use of Verizon, AT&T and other carriers' broadband services for SCADA. Today I'll address the question of whether these networks should be used in SCADA systems. Like most security...

I'll start with the stats: we found 1,420 Raven Airlink devices in a wireless class B network that any customer with a wireless card from the carrier could access. These are ruggedized devices with Ethernet and serial connectors used for sending monitoring and control...

One of the rules we try to live by and inculcate with our clients is "don't try or promise the impossible". This is a simple and certainly not brilliant concept to avoid a path doomed to failure and frustration and wasted effort. An example of failing to follow this...

This past Wednesday, SANS and CWE released their 2010 top 25 programming errors list. The list contains many errors that are present in control systems both developed recently or a few years back. For example, Daniel Peck of Digital Bond wrote a paper showing what can...

I have had talks with a number of other vendors about how control system life cycles will have to change, and slowly are changing. For a long time it has been buy and install a SCADA or DCS, change it as little as possible for ten to twenty years, and then completely...

In January the Nuclear Regulatory Commission issued NRC 5.71 Cyber Security Program for Nuclear Facilities. It is interesting that the NRC took a very NIST SP800 approach specifically using the NIST documents high impact baseline as a starting point. We did not do an...

I'm a week or two late on this, but I think that the community as a whole has paid far too little attention to the advisory released a few weeks ago by the folks at C4/CERT, and the response to them by Rockwell. Full disclosure, I have not personally verified these...

A few thoughts after the intelligent comments, additional info, sound and fury: Microsoft is in the very rare top tier of companies spending time and money on security. In gross $ and time probably number 1 and very high on a percentage of security to software...

Today's press release from an unnamed company (to protect the innocent of course) has driven me to zombify the tired "all you base" internet meme. In our ever growing drive to trade security for ease of use and convenience you can purchase micro devices...

Last week McAfee and CSIS released a report titled In the Crossfire: Critical Infrastructure in the Age of Cyber War. Honestly, I dismissed it at first as marketing hype and even took some shots at it on Twitter because of the lack of real data. But they are actually...

There was an interesting discussion and information on what is the "best way from an ROI measure" to fuzz test at the CERT sponsored Vulnerablity Disclosure Workshop in DC this week. It led to some tweets back and forth between Digital Bond alumni Matt Franz and...

Earlier in the week I came across a very interesting article regarding control systems that we normally do not discuss but has a similar issue that we experience in other control system implementations. The FAA recently published a "special conditions" document within...

There is an interesting story from the Christian Science Monitor regarding attacks on some US oil companies. According to the article, the attackers used the same techniques described at S4 2010 in the keynote speech on Advanced Persistent Threat (APT), given by Kris...

Scanning with credentials has opened a new frontier for security assessment. Here's an analogy: traditional vulnerability scanning is like a mechanic evaluating a car just by looking at the outside and listening to the motor run. It's useful but there is so much more...

Late last week a story came out about Juniper Networks routers being susceptible to a remote reboot. Versions of JUNOS and JUNOSe prior to 10.X can be crashed by sending a single packet to an open port on the router. The reboot occurs when a packet with the TCP Header...

The newly appointed "Cyber Security Czar", Howard Schmidt recently noted that he considers smart phones and such devices one of the largest areas of concern for cyber security. Saying "What they've been attacking on the desktop they'll starting attacking in our mobile...

We selected Kris Harms from Mandiant to give next week's S4 Keynote on the topic of Advanced Persistent Threat [APT]. This week Google and Adobe announce investigations of some more serious than normal attacks. A couple of key excerpts from the Google blog: In...

In mid-December we completed the Quickdraw project which creates security events for legacy PLC's that lack a security event logging capability. In the following weeks I will write a blog series on Quickdraw, but a lot of this work involves adding SCADA preprocessors...

Happy New Year to all our loyal blog readers with special thanks to those that contributed through the comments last year. I enter the year with a strong feeling of optimism for the control system community. There are not an irrefutable, or even compelling, set of...