The good security practice for getting security updates to an ICS is well understood. A server on the SCADA or DCS network pulls the security updates from the ICS DMZ. The ICS DMZ pulls them from the corporate network, who pulls them from the Internet. You will see...

On July 30th, 2012, the northern region of India had its worst blackout in history, and then again the next day. By number of customers affected, it dwarfed the 2003 Northeast Blackout by ~570 million people. In response, the Indian government created a four person...

Saudi Aramco admitted that about 30,000 computers had been infected with malware known as Shamoon. They were quick to point out that "its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems....

The LOGIIC (Linking Oil & Gas Industry to Improve Cybersecurity) won the U.S. DHS Science & Technology  Directorate Under Secretary’s Award for Outstanding Collaboration in Science and Technology. According to Automation.com "the award is presented...

ISA announced yesterday that the Honeywell Process Solution's Experion DCS controller and Experion Field Integration Module (FIM) have achieved ISASecure Embedded Device Security Assurance certification. This is good news that the ISASecure certification is getting...

Justin Clarke and ICS-CERT unveiled another vulnerability in RuggedCom devices yesterday.  This time, Justin took a different track with the device firmware and showed that all products use the same SSL private key, hard-coded in the firmware. This is fairly...

I agreed to speak at Jeffrey Carr's Suits and Spooks in Boston on October 18th. The theme of this edition is Offensive Tactics Against Critical Infrastructure, and my sector to attack is electric. I'll be showing how an adversary would compromise individual and large...

If you are attending the EnergySec Summit, Sep 25 - 27 in Portland, or if you are in the area, learn how to best use Nessus with your SCADA or DCS at our half day training course on the 25th. Space is limited to 20 students so register soon. Most people download...

The big item of the week was Saudi Aramco cutting itself off from the Internet due to a malware incident. According to ICS-CERT, this would be an ICS cyber incident whether it affected their control systems or not because they run a control system. An article is...

James Arlen, @myrcurial, posted a question on SCADASEC on the phrase "utilizing demonstrated engineering experience". Here is the pull quote/question: "If you are, say - a cookie manufacturer, and you have a cookie manufacturing line built and installed, you need to...

I've had a chance to spend some quality time with Microsoft's Attack Surface Analyzer over the past week, which I'm going to refer to as "MS-ASA" to keep my word count down. The tool itself is pretty nifty, it gathers security and other system information from...

Most of the talk about smart grid and smart grid security, especially in the US, revolves around automated metering infrastructure (AMI). And much of the security discussion has to do with the ability of an attacker to turn power on and off to affect customers and...

Last week cyber security legislation failed in the US Senate. This week the Obama Administration is putting the word out that they may implement the parts he believes are critical through Executive Order. Our view is that DHS has all the authority they need to make a...

I've been looking over the NERC CIP v5 lately, because of a few discussions I've had over the past week. Mainly, it's been the compliance requirements for the 1500 MW Critical Generation cutoff point and the design concept for what is called a "Unit Split". A Unit...

The article last week on Information Sharing - What Do You Want? generated some interesting discussion on and off the site. Info sharing proponents named some of the information they wanted. I'm tempted to use the overused analogy of "rearranging the deck chairs on...

The Cybersecurity Act of 2012, S 3414, died in the Senate this week, although they could try again after the recess. No great loss. It wasn't going to pass the House, and it wouldn't have made a difference in ICS security. Jeffrey Carr over on the Digital Dao blog...

Call me an information sharing skeptic. The first truth of information sharing is organizations and individuals only share information if it is in their self interest. This dooms most information sharing efforts because members are in receive only mode. A second...

As the US Senate Bill 3414 gains momentum (although I'm still unsure why this is a big story until we hear of corresponding House action), it's worthwhile looking at the sales effort around the proposed law. What we are seeing in public is likely a small amount of the...

We will have an article next week summarizing the Black Hat, BSides and Defcon ICS related papers. So far the most interesting items are Ruben Santamarta's backdoor in the Schneider ION smart meter and two tools that test and hack optical ports on smart meters....

There is a new version of the PwniePlug, which was previously reported on by Dale.  This model comes in surge-strip form factor. This project is interesting for a few reasons.  First, the PwniePlug/SheevaPlug/etc devices have always turned me off a little as...

Last week I hinted at a vendor which included internal source code repository information in their firmware.  I contacted the vendor and am told that the secret password has been changed, so it's time to talk about it. When I went hunting for NTP appliances to...

A lot's happening this week in ICS vulnerability handling and a lot of it is positive. 1. ICS-CERT Takes Control I have been critical in the past of ICS-CERT's letting vendors determine when a vulnerability is disclosed. They have changed their policy. UPDATE! ...

After my previous blog post on the NERC-CIP Plant Tour, colleagues asked questions about  the systems mentioned. One of the questions that took some time to answer, and required a lot of explanation, was regarding vibration monitoring systems, specifically the Bently...

<< Note - I edited one paragraph after further thought and uncertainty of the exact time this was released. My change log says Friday, the date says Thursday. Apologies if the Friday comments are in error, but this is a big impact vuln that is being treated like...

The S4 call for papers announcement and submission page will come out on Monday -- sorry for the delay. You will have two months to submit, but early submittal improves your chances. Speaking of conferences, next week in Las Vegas is BlackHat, BSides and Defcon. Only...

A few months ago I was lucky enough to do a lab assessment demoing a secure control system network.  One component of the lab network got my attention a bit: an embedded Network Time server that gets its time from GPS. Its sole function in life is to get time via...

The Billy Rios / Terry McCorkle article about the vulnerability handling of Tridium and ICS-CERT is a must read. I started to pull quotes from it and found I wanted to include almost everything. It's clear that Tridium was unresponsive not only to Rios/McCorkle report...

Bob O'Harrow of the Washington Post continued his cybersecurity series, this time focusing on vulnerabilities in Honeywell's Tridium that is used in a large number of building management systems, including many directly connected to the Internet. Billy Rios and...

In a story that broke around June 22nd, and that most of us in the ICS world missed, was the discovery of a virus targeting engineering drawings. It's name is ACAD/Medre.A, and it is specifically designed to snarf up AutoCAD files, and email them to (supposedly)...

If you are interested in the effectiveness of Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) read Gal Badashi at the Security Bits blog post Tweaking Metasploit Modules to Bypass EMET - Part 1. He takes a released Metasploit exploit and payload and...

Sorry for the absence last week, but I was at a SCADA Security Summit up the Wilder Kaiser in the Alps. The best kind of summit with only 1/3 of the talk on ICS security, beautiful scenery and Tyrolean food / German beer in the huts. The WikiLeaks story on...

Wurldtech recently certified Schneider Electric as a Communication Certifier.  It took me a bit to wade through what this really means.  Schneider is now authorized to run the Wurldtech Achilles device against Schneider's own systems, and give their own...

The recent approval by Wurldtech for Schneider to self certify their products as meeting Achilles certification requirements was enough of a push to put up a replacement to the Siemens / Stuxnet counter as Reid has been suggesting for months. The counter debuts at a...

Close Up Gendai is a long running, serious and popular program on Japanese national television station NHK. The audience tends to skew older, but everyone in Japan knows Close Up Gendai. So we were pleased to cooperate with the NHK crew when they wanted to do a...

I wrote recently about Pacific Northwest National Labs (PNNL) "assessment" of McAfee's security products applicability for Energy Sector ICS. I called it a love letter and questioned how a National Lab or any other firm that does an assessment could write such gushing...

The closing session of the Workshop on the Economics of Information Security (WEIS) was a very interesting debate between Dr. Ross Anderson and Bruce Schneier on the topic of spending on information security. Ross argued that we don't spend enough, and Bruce argued...

An injurer (company) first balances expected cost of harm with the cost of prevention. This morning at the Workshop on the Economics of Information Security (WEIS) was devoted to privacy. This is an area that was not historically important in ICS, but privacy is a...

My hope in attending WEIS is to learn of new methods for applying security economics to the ICS world. One area of interest is a model to explain the increase in ICS reported vulnerabilities and predict and profile future vulnerabilities. Two models were raised in a...

Patrick Coyle posted over the weekend that ICS-CERT has updated their "Internet-connected control system" bulletin, first posted in January 2012. The update points out additional control systems vendors and rightly shows the concern that default passwords are present...

I'm in Berlin preparing to attend the Workshop on the Economics of Information Security (WEIS). ICS owner/operators act in their own best self interest. This is rational behavior for any person or organization. Owner/operators that don't spend money on ICS security do...

Patrick Coyle correctly takes WAGO to task for providing the remediation advice of disabling EtherNet/IP and the web interface if not used. They didn't fix the vulnerability, and it took them five months to put out this advice? Actually, ICS-CERT put out that advice....

Few things beat patching, yet on industrial control systems patching is often delayed and delayed and delayed until some event forces the owner's hand. Antivirus is often used as a stop-gap measure to delay patching. This is often not a very good approach. Recently we...

Pacific Northwest National Lab (PNNL) released a report "Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control and Integrity Control". The date says March...

Digital Bond has been doing a lot of generation work lately, and I've found myself in plant clothes (safety shoes, hard hat, jeans, cotton shirt) more and more often. There has been a lot of interest in the cyber security of generation plants, and not all of it is due...

Kaspersky's analysis found that Flame and Stuxnet had code in common according to an article in TPM. "The code in common was used to install and propagate the malware onto computers from an infected USB stick by causing the victim’s computer to “autorun” the malware...

A client was recently interested in a particular brand of serial port to Ethernet converter.  I've done my own with socat, and worked professionally on pen-testing an (IMO) excellent secure serial to Ethernet front-end that adds a lot of security and management...

I read the Stuxnet portion of David Sanger's Confront & Conceal. Stuxnet is actually only a small part of the book, but it is the first sensational story in the Prologue to capture the reader's attention and most of Chapter 8. I had called the earlier NY Times...

The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security . Dale was kind enough to share a copy of the spear phishing...

First, comments are back up and running on the website. We still are sorting out a few other issues and apologize for the inconvenience. The Hill reports that "President Obama and senior administration officials participated in a simulated cyberattack exercise on...

A friend sent me a 24-page Network Security brochure from Siemens dated May 2012 with more detail on Siemens S7 security offerings and overall security strategy (we will add the link when it is up on the Siemens site). We would still like to get more technical detail,...

UPDATE: Added picture of email text Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee.  The attack linked to a probably-malicious .zip file based upon an old research...

The NY Times published an enhanced excerpt from David Sangers' new book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. The long article focuses on the US and Israeli efforts to use Stuxnet to delay the Iranian nuclear program,...