2011 Articles

ICSJWG Day Two Report

The semi-annual Industrial Control System Joint Working Group Conference is traditionally the best place to catch up with everyone in the ICS Security community. DHS puts on a solid program, and there is a certain feeling you need to be here even though there have...

read more

Luigi Vuln Updates … Good News

The mass of vulnerabilities and related proof-of-concept exploit code released by Luigi Auriemma were a new event and test to the ICS world. Let's take a look at the progress one month later - - and it is good news. Siemens First, my prediction that Siemens would not...

read more

DHS Needs To Point Finger At Self – Not Private Industry

Statements by DHS Secretary Janet Napolitano just knocked be off my 12-step program to stop Stuxnet blogging. She was quoted in a Computer World article saying: "The key thing we learnt from Stuxnet was the need for rapid response across the private sector," DHS...

read more

Oddities in FPL Hoax Emails

The ICS Security Community had an interesting event, or perhaps a test, this weekend with the false report of a FPL Wind Farm in New Mexico being hacked. So far we know of a similar, but not identical, emails providing details of the hack hoax being sent to three...

read more

TCIPG Research Efforts – Updated

The Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) is an academic research effort led by University of Illinois and funded by the US Department of Energy and DHS. And at almost $19M for five years, it is not a small effort. Even prior to this...

read more

Siemens Starts To Step Up To Address Stuxnet

Siemens and McAfee announced today that McAfee's Application Control whitelisting product has been tested or modified to work with a variety of Siemens PC-based products that were compromised by Stuxnet. (HT: Smart Grid Security Blog) We have been very critical of...

read more

Ambition and Refresh

I'm seeing two trends in the anecdotal evidence collected in 2011 while on-site with asset owners, primarily pipeline SCADA and power plant DCS: ambition in the security program and attention to reasonable computer and network equipment lifetimes. While the sample...

read more

Transpara Visual KPI for ICS Data on Smart Phones

The preponderance of ICS security professionals recoil with the concept of smart phones having any role in SCADA or DCS. As covered in an early blog entry, there is a big difference between using smart phones for control and using them to view data that has been...

read more

Boredom / Not Better Limiting Vuln Response Bashing

I was taken to task in a conversation at the OSIsoft User Conference - - why didn't Digital Bond and others rip into the vendors and ICS-CERT over the response to Luigi and other SCADA security vulnerabilities as in times past? He went on to explain that the ICS-CERT...

read more

OSIsoft User Conference News & Notes

The OSIsoft User Conference was bulging at the seams with about 1500 eager attendees, and it seemed like even more. It was a very upbeat group looking for what else they could do with the data they are collecting. User Groups in general are so much more optimistic and...

read more

OSIsoft: No, No, … Yes

I have always been amazed by Pat Kennedy and OSIsoft's ability to say no and then the implementation skill to make it pay off. With a dominant installed base in the Energy Sector and significant market share in other process related industries, OSIsoft resisted...

read more

Interview with Luigi Auriemma of 34 0day ICS Vulnerabilities

Luigi Auriemma, of yesterday's 34 0day ICS vulnerabilities, was kind enough to answer some questions we had. I would have preferred a podcast, but neither my Italian nor his English allowed that. I have slightly edited his responses for English/clarity, but I've been...

read more

Smartphone and iPad Access To ICS

The ICS security community is seeing a lot of new products and advertisements offering the ability to monitor and control your process from anywhere with a smartphone or iPad. The trend is almost certainly going to increase with the growing market penetration and...

read more

Another Subcommittee Hearing . . . Yawn

The U.S. House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies had another panel/hearing on "Examining the Cyber Threat to Critical Infrastructure and the American Economy". This link has the video of Chairman Lungren's opening...

read more

NERC CIP Violations

NERC publishes a monthly Key Compliance Trends presentation that has interesting statistical detail on NERC violations, about half of the violations are CIP. This is actually good, detailed info that someone who is immersed in the NERC CIP could really use to track...

read more

Now ISA Has A Cyber Threat Gap Analysis Task Group

Our last post was on the NERC Cyber Assessment Task Force. Although this is a distraction from the NERC CIP next version, it makes sense for NERC to look at how to detect and isolate an attack on a large segment of the bulk electric system. I'm sure it is just a...

read more

NERC Cyber Assessment Task Force

We had a note on the new NERC Cyber Assessment Task Force in the Friday News and Notes blog. Here's some more information and thoughts based on the Powerpoint from the CATF conference call. "The primary intent of the CATF is to consider the impact of a coordinated...

read more

Public / Private Partnership

One of the buzzwords and oft stated goals is to develop a successful public / private partnership, and this came up quite a bit at Smart Grid Security East. Perhaps we are mistaken in expecting it to regularly work or even believe that it can be successful in most...

read more

Does Innominate Help Against Stuxnet?

Innominate has a PR type sending around a recent white paper, Post‐Stuxnet Industrial Security Zero‐Day Discovery and Risk Containment of Industrial Malware with the Innominate mGuard Technology. My last info on Innominate was they had a field firewall,...

read more

What Does $25M Annually Buy? DHS CSSP Program

photo © 2008 Purple Slog | more info (via: Wylio)The US Department of Homeland Security Control System Security Program (DHS CSSP) is probably the USG's biggest effort to improve ICS security across the critical infrastructure sectors. But the question was always how...

read more

FERC Performance Audit Re: NERC CIP

An interesting but somewhat confusing document was issued this week by the Dept of Energy, Audit Report: Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security. This audit, performed by the DoE Office of Inspector General, assesses FERC's...

read more

Control Microsystems Handles Vulns Professionally

photo © 2010 Tactical Technology Collective | more info (via: Wylio) I was really looking for a good news story today after some recent gloom and doom blog entries. Thankfully ICS-CERT issued an advisory today for some fixed ClearSCADA vulns that Digital Bond found...

read more

Cybersecurity Responsibility?

George Gary Mintchell of Automation World/Feed Forward Blog and I have had a difference of opinion on the Automation Press in a few areas including the kid gloves treatment of Siemens regarding Stuxnet. He has a blog on this titled "Cybersecurity Responsibility",...

read more

ICS-CERT Year In Review Fails To Look In Mirror

It's a great idea for ICS-CERT to write a year in review document, especially with sections on lessons learned. That said it is so disappointing to see ICS-CERT continue to ignore the PLC/RTU ramifications of Stuxnet, fail to acknowledge their serious mishandling of...

read more

Zigbee in Smart Grid – The Fuse Is Lit

A press release from Ember announced the company had record revenues in 2010 and that they shipped 10 million Zigbee chips last year. From the press release: Ember's strong growth was fueled by smart meter deployments worldwide, where Ember's ZigBee chips and software...

read more

Managing and Controlling External Devices

One of the many things that I noticed at a plant is that there are no security controls for protecting against unauthorized devices from being connected to the control system servers and workstations.  This had me thinking about the Data Loss Prevention (DLP)...

read more

MS Attack Surface Analyzer: A Deeper Look

In my first post on the Attack Surface Analyzer, we looked at the basic function and how it fits into the SDL. For this post, we'll take a deeper look at some of the information the tool provides and a bit about the process used to get that information. As I mentioned...

read more

Believe It or Not: Stuxnet Advisories Are Lacking

Stuxnet continues to be in the news: control system, infosec and general. It is widely covered with fact, theory, analogies and crazy conjecture, with the recent articles comparing the WellinTech vuln to Stuxnet being the latest foolish article and the NYT research...

read more

Scoring The 2006 Energy Sector Security Roadmap

Roadmap to Secure Energy Delivery was published for comment. It is a revision of the 2006 Energy Sector Security Roadmap that has subsequently been highly leveraged/copied by other sectors. Before diving into the revised Roadmap, let's take a quick look at how the...

read more

ICS Vendor Security Strategies

A recent ARC Advisory Group analysis of the ABB / Industrial Defender security partnership has me thinking about the different ICS vendor security strategies. I can think of at least four different strategies and will blog on them this week. Let's start with the...

read more

Automating Security Perimeter Monitoring/CIP-5

We are back on the Portaledge project, and if our loyal readers remember this year's tasks are to develop the capability for the PI Server to perform the automated security monitoring for CIP-5 and CIP-7. These modules, as will a NERC CIP approach, will work for any...

read more

Characterizing Disclosed ICS Vulns

The activity of disclosed ICS vulnerabilities has increased gradually over the years and significantly since Stuxnet. A quick look at the last five products with published vulns on ICSCERT leads to two easy conclusions: The security community is locating free trial...

read more

Stuxnet Hints to the Future of Next Gen Vuln Platform?

The initial focus of Stuxnet was the Windows 0days and impact on the PC's. Slowly people started to focus on the impact to the PLC's and process. But I hadn't heard much about Stuxnet as a new vulnerability exploit platform approach until the Pauldotcom interview with...

read more

UPCOMING EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host. Hopefully some of my Russian followers will be there.

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.