2011 Articles

Security Is Only a Small Part of Availability

Last week Infosec Island published the article, Report Shows Energy Infrastructure Susceptible to Attack. The article discusses a recent report, The State of IT Security: A Study of Utilities and Energy Companies, issued by the Ponemon Institute. Did we really need a...

read more

Industrial Defender ICS Security Survey

It's difficult to find hard data in the ICS security realm, so Industrial Defenders' recently published survey provides some welcome data points. The survey is officially titled "Managing Automation Systems: Critical Infrastructure Operators' Challenges &...

read more

Guest author Jason Holcomb is a Digital Bond alumnus who is now a Senior Security Consultant for Lockheed Martin’s Energy and Cyber Services group where he is responsible for providing critical infrastructure security consulting services and integrating ICS security...

read more

The Salivating Press

Back in September 2011 2010 Ralph Langner had hard evidence that the Stuxnet code was fingerprinting and attacking a specific process in a PLC. After Ralph announced his findings, and we blogged on them extensively, it was weeks before it got seriously picked up...

read more

DHS ICSJWG Creates Roadmap of Roadmaps

The Energy Sector Cyber Security Roadmap developed by the US Dept of Energy was well received when it first came out in 2006 and was recently revised. Other sectors saw this and it has led to a Water Sector Roadmap, Chemical Sector Roadmap and various other sector...

read more

Advantech WebAccess First on Insecure Products List

ICS-CERT updated their Advisory ICSA-11-094-02A - Advantech/Broadwin WebAccess RPC Vulnerability last week, and inspired us to start our Insecure Products List. The update was short but serious: "Advantech/BroadWin has notified ICS-CERT that a patch will not be issued...

read more

Market Failure, Regulation and the Public’s Right to Know

A number of related issues brought up at ICSJWG have been floating around my head in the long flight to Asia: market failure, regulation and the public’s right to know. At ICSJWG a friend reminded me that in his S4 keynote Dr. Ross Anderson said that regulation is...

read more

ICSJWG Day 2 and Summary

Previous blog entries have covered Day 1 and the Vulnerability Disclosure Panel. Here is a bit of news from Day 2 and summary thoughts. Summary Thoughts DHS puts on a quality event both in the organization and agenda. It's definitely worth attending if you haven't...

read more

Disclosure Panel at ICSJWG

The reason I attended ICSJWG was I had the surprising opportunity to participate in a vulnerability disclosure panel. Surprising because DHS knew I was likely to be quite critical of certain vendors and ICS-CERT. The panelists had ten minutes for a presentation then...

read more

Duqu Targeting Update

We have been focusing on the Duqu targeting in an attempt to determine what risk, if any, Duqu posed to SCADA and DCS owner/operators. In the last 24 hours there has been more confusion and then some clarity with new bulletins from ICS-CERT and Symantec. Eric Chien of...

read more

Duqu and ICS?

<Embarrassing Update: Duqu not Duku, no excuse, corrected throughout blog> The newly discovered Duqu malware and its relationship with Stuxnet and ICS was the big news yesterday. The ICS-CERT Alert is actually concise and informative. It points out that the Duqu...

read more

Stuxnet Reporting Needs Facts and Attribution

Who created and used Stuxnet? This would be a big story in the mainstream press and the biggest story in ICS security to date by far. Unfortunately we have nothing but motive and speculation with almost no hard facts on the culprit -- at least publicly disclosed. A...

read more

665 SCADA Bugs Presentation from DerbyCon

Terry McCorkle's presentation at DerbyCon, 100 Bugs in 100 Days: An Analysis of ICS (SCADA) Software is available online. He did this research in his spare time with Billy Rios, and it is informative technically and culturally. The research focused on freely...

read more

Smart Move: NERC Changes CIP Violation Handling

(Following NERC security is a full time endeavor these days. To that end, digitalbond.com is looking for a NERC correspondent. Ideally this would be someone who follows NERC security as part of their job, has the ability to comment publicly, and has some opinions and...

read more

How Should ICS-CERT Handle Insecure By Design?

There was first shock and then sympathy for ICS-CERT Acting Director Marty Edwards’ statement at WeissCon that only software bugs are treated as vulnerabilities by ICS-CERT. The important converse of this statement is any exploitable security weaknesses that are...

read more

Microsoft EMET and Chem Sector Architecture

Last week two ICS security related offerings were highlighted by Microsoft, one old and one new. Kevin Sullivan suggested again that ICS vendors with legacy applications running on any version of Windows look at the Enhanced Mitigation Experience Toolkit (EMET)....

read more

Major Energy Sector Roadmap Update

In 2006, the US Dept. of Energy issued an Energy Sector Security Roadmap with specific goals and milestones. We scored the progress on the roadmap in an earlier blog, and it did drive DoE's research funding and other efforts in the intervening years. This month the...

read more

Luigi Vulnerabilities II

Italian researcher Luigi Auriemma has released another set of vulnerability advisories and proof of concept exploit code for a variety of ICS products. He is finding overflows on the proprietary services the vendors are writing. You hear often in ICS, "don't scan it...

read more

3-Star Review for Teumim/ISA VERY BASIC Pamphlet

Dave Teumim's Industrial Network Security, published by ISA, is a very basic, very short book that does a good job of introducing cyber security to an ICS manager with zero security experience. This "book" really is more of a pamphlet. It's 130 pages long with...

read more

Motivation and Goals for Project Basecamp

RLast week I introduced our Project Basecamp - Hacking PLC's. This will be the Digital Bond paper at S4. There have been a number of questions of what we are doing, why we are doing it, what disclosure process we will follow ... I'll start with the why in this entry,...

read more

3-Star Book Review: Knapp’s New Industrial Network Security

Eric Knapp's book Industrial Network Security shipped this month and is also available for the Kindle. It is a tough book to review because the quality and accuracy was very uneven. As compared to other ICS Security books available today, grading on a curve, it...

read more

Belden/Hirschmann Buys Byres Security/Tofino

ICS specific security sales are still a very small market, but today probably the biggest player in that niche, Byres Security, was purchased by Belden. Byres' Tofino firewall and related security technology will most likely reside in the German based Hirschmann arm...

read more

Project Basecamp – Hacking PLC’s

After reminding everyone of the Sept 18th deadline for the S4 Call For Papers earlier today, I thought it would be a good time to provide some details on the Digital Bond paper that will be presented at S4. We are calling Project Basecamp. The Basecamp presentation...

read more

Pike Research: ICS Security Market US$4.1B?

Utility Investment reports that a new Pike Research study, Industrial Control System Security, estimates the ICS Security market to total $4.1B between 2011-2018. Hooray, we are all going to be rich. The article nor the Pike Research site provides detail on how this...

read more

Nothing Changed: Black Hat’s Impact on ICS Security

Siemens is a marketing genius (evil genius?). At Black Hat, the mistreated researcher actually thanks Siemens, praises Siemens and lets “Siemens” speak about how much they care about security. I hear rumbling through the crowd that isn’t it great that Siemens is here...

read more

Langner Book Review: Robust Control System Networks

It would have been easy for Ralph Langner to write a first hand book on the twists and turns of the Stuxnet story. Instead, he goes in a completely different direction by writing essentially an engineering practices book, Robust Control System Networks. And it is one...

read more

RTP Controller Achieves ISASecure Level 2 Certification

Back in June, Honeywell's Safety Manager was the first product to achieve ISASecure's Embedded Device Security Assurance (EDSA) certification. It was certified to meet Level 1, the basic level. Level 1 is a significant accomplishment most PLC's and other controllers...

read more

Can INL Perform as ICS-CERT? No

ICS-CERT may be relieved the spotlight has been focusing on Siemens as their performance and information provided in the Stuxnet and Beresford vulnerabilities has been consistently late and of little or no added value. This makes no sense given the quantity and...

read more

Beresford @ Black Hat: Guru’s, Politics and ICS Response

Dillon Beresford of NSS Labs finally went on stage to discuss the multiple vulnerabilities he has found in the Siemens S7 PLC's. In Part 1 of the report, I'll go into the details of the attacks as I understand them. Note that Siemens customers are still not receiving...

read more

PLC’s: Insecure By Design v. Vulnerabilities

While significant progress has been made in securing ICS workstation and server components over the last ten years, almost no progress has been made in securing PLC's and other field devices. Now with researchers / hackers of all hat colors, as well as more malicious...

read more

Making Sense of Siemens Vulnerability Conflation/Confusion

My point: we have multiple Siemens vulnerabilities affecting multiple Siemens products and little clarity from ICS-CERT or Siemens on the totality of the vulns, the impact or the affected products -- or what is queued up and ready to come next as soon as Wednesday!...

read more

Siemens S7 Honeynet?

Digital Bond released a high interaction / very realistic SCADA Honeynet a few years back. Actually a better name would be a PLC Honeynet because it appeared to be a Modicon PLC. It has a points list with realistic values from an actual PLC that can be accessed via...

read more

Industrial Defender Prices New Service By MW

Industrial Defender, an ICS security products and services vendor, issued a press release announcing three new security services for power plants: Monitor, Manage and Protect. What is novel about the offering is the pricing model. Pricing is based on the megawatts of...

read more

Process Failure Issues – Add Compromise To Troubleshooting

Michael Toecker started an interesting, if slightly disingenuous, thread on control.com. He asks for approaches to the following problem: You've been experiencing periodic failures of equipment that is important in the reliable and successful completion of your...

read more

Diverging Views on NERC CIP Flaws

I have yet to meet anyone, who is not on the NERC payroll, who believes that the CIP standards are resulting in anything close to effective and efficient improvement in the bulk electric system's security posture. (Even ex-NERC and regional entity employees who were...

read more

What’s Worse, Incompetence or Deception?

Yesterday Dillon Beresford announced and ICS-CERT confirmed that the Siemens' S7-200, S7-300 and S7-400 families of PLC's suffered from the same replay vulnerability as the S7-1200. Siemens had not announced this even though they have had the information for over two...

read more

ICS Security Training

This week I'm teaching our updated three-day course on Control System Security for Control System Engineers for a client. One thing I learned from my experience teaching at Infosec Institute more than five years ago is it is very hard to make an interesting course for...

read more

Siemens Security Tap Dance or Reality?

This week Siemens held its Automation Summit in Orlando, and security was heavy on the agenda. In an earlier blog I took to task Byres, Langill and other security guru's, really top notch talent, for providing cover to a poorly performing vendor by attending,...

read more

Cyberwar Rules and Law

The Iranian Supreme National Security Council has called for the "International Atomic Energy Agency (IAEA) to form a fact-finding committee to detect agents involved in nuclear terrorism and operation of Stuxnet computer worm to attack nuclear industry". The majority...

read more

ICS Vulnerability Prioritization Problem

My Point: The ICS vulnerabilities being found and trumpeted have little impact on SCADA and DCS that run the critical infrastructure. Somehow we need to get the increased effort to identify vulnerabilities focused on the critical ICS applications and components....

read more

The “It Won’t Stop Stuxnet” Fallacy

We are hearing more and more that a particular security control is inadequate or not worthwhile because "it would not have stopped Stuxnet". This has come up in numerous comments on this blog and in other places, such as my friend Jake Brodsky's blog entry. If we are...

read more

Fix The Problem, Stop Bailing Out Vendors

My point -- we, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data sent...

read more

Stop Talk – Make A Star

While acting with the best of intentions, DHS and Siemens persuading Dillon Beresford to drop his talk "Chain Reaction: Hacking SCADA" talk at Takedown last month has backfired. My favorite tweet on the subject is: This is so true, like the "coverup is worse than the...

read more

Time to Replace SecurID Tokens?

A significant percentage of ICS owner/operators use SecurID tokens for strong, two-factor authentication for remote access. Similar to the IT space, it has the largest market share by far. With the recent hacks of RSA and Lockheed, it is time to reconsider if you can...

read more

The Lost Decade

Digital Bond performed its first SCADA security assessment in 2000. The 9/11 attacks that supposedly changed everything in critical infrastructure security occurred in 2001. Yet as we have chronicled in this blog, the ICS community as a whole is still amazingly...

read more

DHS Updates Best ICS Vuln Statistics Available

In 2008 DHS issued the first edition of Common Cybersecurity Vulnerabilities in Industrial Control Systems based on 15 ICS security assessments of either products or deployed systems they performed from 2004 to 2008. They just released an update to this document that...

read more

WAKE UP!!! PLC’s ARE VULNERABLE!

Trying a new, blunt method of communication because numerous blog entries, presentations and papers just aren't getting through. Please read and reread the following paragraph: If you have network access to almost any PLC, RTU or other type of field device, then you...

read more

Senate Looks At White House Cybersecurity Proposal

The Senate Committee on Homeland Security & Government Affairs held a hearing on the recent White House legislative proposal on Cybersecurity. Pay attention to this as it would have a big impact on the most critical infrastructure, and there have been efforts to...

read more

Researcher Talk Pulled, When Will Siemens Talk?

Yesterday Dillon Beresford cancelled his talk and demonstration titled Chain Reaction: Hacking SCADA at the Takedown event after a discussion with DHS and Siemens. Wired has an article with the details which includes the Beresford quotes “Based on my own understanding...

read more

White House Proposed Legislation Would Regulate ICS

Last week President Obama provided a legislative proposal on cybersecurity with a potentially large impact on the ICS community. Actually it is a number of legislative proposals in a single document. A portion of it covers government "evaluation" of critical...

read more

ABB 800xA Virtualization

We have been early and big fans of SCADA virtualization for servers and workstations. Not for the server consultation consolidation benefits that drive most IT virtualization projects. Control systems have a surprisingly small number of servers and workstations so...

read more

UPCOMING EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host. Hopefully some of my Russian followers will be there.

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.