Recently, a client came to us with a new piece of equipment they wanted to put in their distribution system. A decent way to describe the new protection equipment is transmission relay technology, scaled down to distribution level and combined into a single...

A poignant reminder this week that Safety products and SIL ratings to not consider malicious attacks or even accidental spurious data. The CoDeSys development system is SIL2 certified, and they produce something called CoDeSys Safety that is SIL3 certified. Feel...

Locks had "long life" and names written on them. I had a chance to chat with former Project Basecamp lead Reid Wightman about the Tofino/SCADAHacker IDS rules related to his exploit scripts. It was in conjunction with a soon to be released ioActive webinar on the...

Roland Koch and students at the University of Applied Sciences in Augsburg, Germany have released a PROFINET fuzzer called ProFuzz. While not a top 3 protocol in the US, PROFINET is the most widely used ICS protocol in Europe, particularly in the manufacturing sector....

The Shamoon investigation by Saudi Aramco, aided by the government's Ministry of Interior, stated “The aim was to stop pumping oil and gas to domestic and international markets”. An article in Al Arabiya goes on to say "The state-owned group which runs all Saudi...

ICS-CERT issued an Advisory on Friday titled Rockwell Allen-Bradley MicroLogix, SLC-500, and PLC-5 Fault Generation Vulnerability. This is just a distraction from the PLC insecure by design issue. The impact of this vulnerability is denial of service. You don't need...

GE announced the long awaited successor to the decrepit and insecure D20 -- the D20MX. This time it appears to be real as some asset owners are expecting demo/trial shipments in a matter of weeks. From the site, "Built-in cyber security features such as Remote...

Slow week in the SCADA security world. Siemens announced some new security controls for the S7-1500 line of PLCs. The most interesting feature --"Access protection addresses the problem of protecting the application against unauthorized configuration changes." We...

Last week, Dale had difficult conversations regarding cyber security with two vendors. Apparently, that was the week for vendor interactions, as I had one too. My interaction was with a control system component vendor, attempting to explain the premise of my upcoming...

I'm putting together an intro for an ioActive webinar on CoDeSys with Reid, which will have some good technical information and discussion on the effectiveness of suggested compensating controls. And I'm trying to find some way to point out the complete failure of the...

The Unsolicited Response Podcast occurs whenever events warrant. Late last week I recorded an interview with Bob Radvanovsky who is the owner of SCADASEC and one of the leaders of Project Shodan Intelligence Extraction (Project Shine). Project Shine has found over...

Register Now for S4 2013 - Awesome Research This Year NextGov reports the US National Highway Safety Traffic Safety Administration plans to "'conduct rule-making ready research to establish electronic requirements for vehicle control systems' in everyday cars....

Keep track of the latest S4 updates on our S4 site. We have two great new additions to the S4 2013 agenda. Both happen to involve the Siemens WinCC / S7 product family. Loyal blog readers have probably heard recently of Positive Technologies whitepaper SCADA Safety in...

These are typical, illustrative, and sad. Conversation 1: PLC Vendor A PLC vendor reached out to Digital Bond and encouraged us to share any results we found on their systems with them. He said they were very interested in security and understood they needed to do...

EnergySec has formed the Publicly Accessible Control Systems Working Group (PACS-WG) to try to track down and remove Internet accessible devices identified in Project Shine and elsewhere. The kickoff webinar is next Friday. Eric Byres and Tofino have teamed with Joel...

A I spoke recently with Kelly Jackson Higgins of Dark Reading about the number of vulnerabilities being found post-Stuxnet. This obviously is due to the increased attention from researchers and hackers. The data also shows some vendors and products have a steady...

Last September, I did a guest blog post titled "Online-Malware-Support-Shows-Infected-ICS-Computers", where I searched for HiJackThis posts containing automation software. Basically, there are forums available to users that had been infected with viruses. These users...

All ICS are not created equal --- at least not from an impact to the critical infrastructure. There is a tendency to treat every ICS vulnerability or ICS security issue as a dire impact to a nation's critical infrastructure. Those responsible for securing the critical...

Reid Wightman and HD Moore wrote up an Nmap NSE script to detect if your PLC running the CoDeSys ladder logic runtime lacks effective authentication to access the application command shell, transfer files, ... the insecure by design issues covered on the Project...

It is hard for me to write it any better than 3S, from their site: In general, we do not offer any standard tools in CODESYS which are to protect the controller from a serious cyber attack. Should the offered password functionality suggest such a protection, this was...

A light week of news with most of the US attention deservedly focused on dealing with and recovering from Sandy. SANS highlighted a new international Consortium for Cybersecurity Action (CCA). It's largely based around the top ten / top twenty security controls lists...

ICS-CERT issued an advisory today, C3-ILEX EOSCADA Multiple Vulnerabilities, based on a Digital Bond information. I'll tell you a bit more of the interesting story and technical details. We found these vulnerabilities on a client assessment in October 2010. They were...

I had an opportunity to meet with much of the Japanese Control System Security Center (CSSC) team on Tuesday. They are impressively moving out fast on their efforts to build and educate the ICS security community in Japan. The CSSC was established in March of 2012,...

The US Dept of Homeland Security had another reorganization. The Control Systems Security Program is now under the National Cybersecurity and Communications Integration Center (NCIC). This was new to me, Justin Searle of UtiliSec has a two-day course Pentesting Smart...

Reid Wightman provided one last set of Project Basecamp tools before leaving for ioActive. This latest release are two tools for PLC's running the CoDeSys ladder logic runtime, which is a list of 261 vendors. codesys-shell.py: just like it sounds, you get the CoDeSys...

I have a problem with field security devices. Well, not really A problem, but multiple problems. 1. Avoiding The Root Cause of Insecurity There is a tendency in the ICS community, and even among those considered ICS security gurus, to promote building higher walls...

The ICSJWG meeting was this past week in Denver, and the schedule was packed with great presentations, and speakers with a wealth of experience to share with the ICS community.  There was a significant bump in attendance this time around. Attendees were from a...

REMINDER - S4 General Registration Opens on October 24th. See The Agenda Here. Kaspersky's announcement of a new secure SCADA OS was the buzz story of the week. It's an ambitious effort with low likelihood of impact on SCADA and DCS for a variety of reasons. I do like...

Emerson announced that DeltaV DCS deployments will support virtualization in April 2013. They also highlighted the "Smart Firewall", which sounds very similar to the Honeywell CF9 approach. Basically block everything but DeltaV required protocols out of the box. The...

Yes, it's a new podcast. The Unsolicited Response podcast will be similar to This Month In Control System Security podcast in format and content, but I have given up the idea of doing it on a regular schedule. The inaugural episode is an interview with Brian Ahern,...

Yesterday Siemens announced new vulnerabilities, and importantly security patches to address the vulnerabilities, for their S7-1200 web application. Some credit is due to Siemens for increased transparency in announcing vulnerabilities and speed in which they...

I recorded the first edition of our new podcast Unsolicited Response this week. Some months will have 1, 2 or 3 podcasts; others will have 0. It will be out on Tuesday and hope you like it as much as the previous This Month In Control System Security. Justin W....

I've been a vocal skeptic on information sharing, particularly the US legislative emphasis on information sharing's criticality to make progress in ICS and SCADA security. Yesterday provided a lot of ammunition for my argument. All too often programs are destined to...

Last week was EnergySec's 2012 Symposium.  EnergySec is a group with a lot of great energy.  The conference was attended by a mix of hackers, former phone phreaks, energy sysadmins, auditors, and executives. The theme this year was, "Stop being...

LAST DAY - Submit your presentation proposal for S4 2013, Jan 16-17 in Miami Beach. Robert O'Harrow of the Washington Post continued his series to make cyber security issues understandable to the average WashPost newspaper reader. This time he covered spear-phishing...

Brian Krebs breaks a big story in the ICS security world -- Telvent has been informing customers they have been compromised by the Comment Group. Over the past two decades Telvent has dominated the oil and gas pipeline SCADA market. In recent years they have moved...

Remember S4 Call For Papers/Presentations Closes This Friday September / October is a busy week for ICS security events. Joe Weiss just posted the full agenda for ICS Cyber-Security Conference the week of October 22nd in Norfolk, VA (called WEIScon by many). The week...

Most of the attention, reporting and speculation on Stuxnet perpetrators has been focused on the US and Israel, but what about Siemens and the German Government's possible role in the Stuxnet story? The Siemens and Iran issue came up last week with the Iranian's...

ICS released Version 3.0 of The Roadmap To Secure Control Systems in The Transportation Sector. It's a good primer to transportation sector ICS, which surprisingly includes pipelines. Each sector is defined along with a glossary of key terms. The four goals are very...

Ask and ye shall receive.  Tenable quietly updated Nessus compliance checks today, adding some fancy new "Open Port" auditing features.  Among other things, new rules mean that your audit files can now check for a list of allowed and denied ports, as well as ensure...

Ross Anderson (past S4 keynoter) and Alex Henney published a paper on the failed economics of the British smart metering project (UK). They contend that when the economic case didn't work out. the government changed the underlying assumptions until the numbers...

Owners conducting a NERC Cyber Vulnerability Assessment have a requirement to annually verify ports and services. On Windows and Unix based systems, it is trivial and safe to pull a list of listening ports and the configured services thanks to commands like netstat,...

Industrial Defender announced another industry partnership to provide their security products and services to an ICS vendor -- this time with Telvent. As mentioned in an earlier article, the key factor in determining if this is truly pushing security to customers or...

Attention to DCS and SCADA security continues to grow in Japan. Here are three notes: 1. IPA, a Japanese organization that works with government and industry, has partnered with ISASecure to bring the ISASecure certification program to Japan. Certification is...

All talk, no action. The various agencies are using only a fraction of the power they have to make a difference in ICS and SCADA cybersecurity. All the potential legislation, executive orders, and political platform stances only effective purpose is to make people...

So you've decided to start a quarterly or bi-annual patch program, you may find yourself thinking: "Do I really need to patch *everything*?  What are the highest priority patches that I need to apply for the best risk reduction?" The good news is that a lot of...

The ISA99 Committee created a web page with all the work product in process and links to all of the draft documents. This is fantastic and part of their increased effort to get more people aware of and involved in their activities. Today there are 13 draft documents...

Guest author Andrew Ginter is the Director of Industrial Security at Waterfall Security Solutions, the makers of hardware-enforced unidirectional security gateways. The popular press cites an "alarming" statistic from time to time - the "dramatic" increase in...

ICS-CERT made a fistful of updates yesterday.  One of them is over a bag of bugs^Wsecurity concerns first revealed by yours truly. This update is a bit odd for a few reasons.  Here is my summary of how it relates to my disclosure: the passwords disclosed by me...

Adding new security systems and making updates to the control system in the name of cyber security tends to have a ripple effect. Operational processes that were once nearly bulletproof  have new or unknown steps, recovery efforts that were previously successful...

Guest author Darren Highfill is the Founder and a Managing Partner of UtiliSec, a consultancy focused on electric power cyber security. Darren has been at the forefront of efforts to secure the smart grid since long before the phrase was coined. Clouds. They...

The US Securities and Exchange Commission (SEC) is starting to crack down on cyber incident and cyber risk disclosures. They recently sent letters to six companies, including Eastman Chemical, asking for more information. This is the type of activity that gets C-level...