The semi-annual Industrial Control System Joint Working Group Conference is traditionally the best place to catch up with everyone in the ICS Security community. DHS puts on a solid program, and there is a certain feeling you need to be here even though there have...

The mass of vulnerabilities and related proof-of-concept exploit code released by Luigi Auriemma were a new event and test to the ICS world. Let's take a look at the progress one month later - - and it is good news. Siemens First, my prediction that Siemens would not...

Statements by DHS Secretary Janet Napolitano just knocked be off my 12-step program to stop Stuxnet blogging. She was quoted in a Computer World article saying: "The key thing we learnt from Stuxnet was the need for rapid response across the private sector," DHS...

The ICS Security Community had an interesting event, or perhaps a test, this weekend with the false report of a FPL Wind Farm in New Mexico being hacked. So far we know of a similar, but not identical, emails providing details of the hack hoax being sent to three...

The Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) is an academic research effort led by University of Illinois and funded by the US Department of Energy and DHS. And at almost $19M for five years, it is not a small effort. Even prior to this...

Siemens and McAfee announced today that McAfee's Application Control whitelisting product has been tested or modified to work with a variety of Siemens PC-based products that were compromised by Stuxnet. (HT: Smart Grid Security Blog) We have been very critical of...

I'm seeing two trends in the anecdotal evidence collected in 2011 while on-site with asset owners, primarily pipeline SCADA and power plant DCS: ambition in the security program and attention to reasonable computer and network equipment lifetimes. While the sample...

The preponderance of ICS security professionals recoil with the concept of smart phones having any role in SCADA or DCS. As covered in an early blog entry, there is a big difference between using smart phones for control and using them to view data that has been...

I was taken to task in a conversation at the OSIsoft User Conference - - why didn't Digital Bond and others rip into the vendors and ICS-CERT over the response to Luigi and other SCADA security vulnerabilities as in times past? He went on to explain that the ICS-CERT...

The OSIsoft User Conference was bulging at the seams with about 1500 eager attendees, and it seemed like even more. It was a very upbeat group looking for what else they could do with the data they are collecting. User Groups in general are so much more optimistic and...

I have always been amazed by Pat Kennedy and OSIsoft's ability to say no and then the implementation skill to make it pay off. With a dominant installed base in the Energy Sector and significant market share in other process related industries, OSIsoft resisted...

Luigi Auriemma, of yesterday's 34 0day ICS vulnerabilities, was kind enough to answer some questions we had. I would have preferred a podcast, but neither my Italian nor his English allowed that. I have slightly edited his responses for English/clarity, but I've been...

The ICS security community is seeing a lot of new products and advertisements offering the ability to monitor and control your process from anywhere with a smartphone or iPad. The trend is almost certainly going to increase with the growing market penetration and...

The U.S. House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies had another panel/hearing on "Examining the Cyber Threat to Critical Infrastructure and the American Economy". This link has the video of Chairman Lungren's opening...

NERC publishes a monthly Key Compliance Trends presentation that has interesting statistical detail on NERC violations, about half of the violations are CIP. This is actually good, detailed info that someone who is immersed in the NERC CIP could really use to track...

Our last post was on the NERC Cyber Assessment Task Force. Although this is a distraction from the NERC CIP next version, it makes sense for NERC to look at how to detect and isolate an attack on a large segment of the bulk electric system. I'm sure it is just a...

We had a note on the new NERC Cyber Assessment Task Force in the Friday News and Notes blog. Here's some more information and thoughts based on the Powerpoint from the CATF conference call. "The primary intent of the CATF is to consider the impact of a coordinated...

One of the buzzwords and oft stated goals is to develop a successful public / private partnership, and this came up quite a bit at Smart Grid Security East. Perhaps we are mistaken in expecting it to regularly work or even believe that it can be successful in most...

Innominate has a PR type sending around a recent white paper, Post‐Stuxnet Industrial Security Zero‐Day Discovery and Risk Containment of Industrial Malware with the Innominate mGuard Technology. My last info on Innominate was they had a field firewall,...

photo © 2006 Elizabeth Ellis | more info (via: Wylio)Wurldtech issued a press release yesterday announcing Sensus, a company that offers AMI solutions, had achieved the Achilles Practice Certification (APC). The APC is an Achilles certification based on the WIB...

photo © 2008 Purple Slog | more info (via: Wylio)The US Department of Homeland Security Control System Security Program (DHS CSSP) is probably the USG's biggest effort to improve ICS security across the critical infrastructure sectors. But the question was always how...

An interesting but somewhat confusing document was issued this week by the Dept of Energy, Audit Report: Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security. This audit, performed by the DoE Office of Inspector General, assesses FERC's...

photo © 2010 Tactical Technology Collective | more info (via: Wylio) I was really looking for a good news story today after some recent gloom and doom blog entries. Thankfully ICS-CERT issued an advisory today for some fixed ClearSCADA vulns that Digital Bond found...

George Gary Mintchell of Automation World/Feed Forward Blog and I have had a difference of opinion on the Automation Press in a few areas including the kid gloves treatment of Siemens regarding Stuxnet. He has a blog on this titled "Cybersecurity Responsibility",...

It's a great idea for ICS-CERT to write a year in review document, especially with sections on lessons learned. That said it is so disappointing to see ICS-CERT continue to ignore the PLC/RTU ramifications of Stuxnet, fail to acknowledge their serious mishandling of...

A press release from Ember announced the company had record revenues in 2010 and that they shipped 10 million Zigbee chips last year. From the press release: Ember's strong growth was fueled by smart meter deployments worldwide, where Ember's ZigBee chips and software...

One of the many things that I noticed at a plant is that there are no security controls for protecting against unauthorized devices from being connected to the control system servers and workstations.  This had me thinking about the Data Loss Prevention (DLP)...

In my first post on the Attack Surface Analyzer, we looked at the basic function and how it fits into the SDL. For this post, we'll take a deeper look at some of the information the tool provides and a bit about the process used to get that information. As I mentioned...

A major difference in ICS vendor’s security strategies is how much effort they are putting on security throughout the product lifecycle, or their Security Development Lifecycle (SDL). Put another way, how secure is their own code from common programming mistakes that...

Stuxnet continues to be in the news: control system, infosec and general. It is widely covered with fact, theory, analogies and crazy conjecture, with the recent articles comparing the WellinTech vuln to Stuxnet being the latest foolish article and the NYT research...

Roadmap to Secure Energy Delivery was published for comment. It is a revision of the 2006 Energy Sector Security Roadmap that has subsequently been highly leveraged/copied by other sectors. Before diving into the revised Roadmap, let's take a quick look at how the...

A recent ARC Advisory Group analysis of the ABB / Industrial Defender security partnership has me thinking about the different ICS vendor security strategies. I can think of at least four different strategies and will blog on them this week. Let's start with the...

We are back on the Portaledge project, and if our loyal readers remember this year's tasks are to develop the capability for the PI Server to perform the automated security monitoring for CIP-5 and CIP-7. These modules, as will a NERC CIP approach, will work for any...

The activity of disclosed ICS vulnerabilities has increased gradually over the years and significantly since Stuxnet. A quick look at the last five products with published vulns on ICSCERT leads to two easy conclusions: The security community is locating free trial...

The initial focus of Stuxnet was the Windows 0days and impact on the PC's. Slowly people started to focus on the impact to the PLC's and process. But I hadn't heard much about Stuxnet as a new vulnerability exploit platform approach until the Pauldotcom interview with...