We covered the big stories of the week, Siemens announcement, Flame and the NY Times article in earlier entries. Here is what else happened. Emerson DeltaV vulnerabilities made an ICS-CERT Alert this week. This is noteworthy because DeltaV is not some free demo...

We have been running a Stuxnet clock in the right sidebar with the tag line: Siemens has not fixed Stuxnet S7 vulns for ... Yesterday Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC. So we have stopped the...

I've been disinterested in the Flame story and then the anti-Flame backlash. There isn't any data yet that makes it more pertinent to the ICS world than any other non-ICS incident. Not that it isn't a fascinating piece of malware worthy of investigation based on its...

As part of developing Bandolier Security Audit Files for various control system components, see the full list here, we need to start with security audit files for the recommended OS security settings. These recommended settings are then modified as necessary for the...

I've been surprised by the relative silence on the NERC CIP Version 5 ballot results. Perhaps everyone knew most would fail by a sizable margin (e.g. CIP-002 37%, CIP-004 39%, CIP-006 39%, CIP-007 46%).  Only CIP-008 passed, but CIP-003 and CIP-009 came close with...

When Intel followed the acquisition of Wind River, the maker of the popular PLC OS VxWorks, with the acquisition of McAfee, our curiosity was peaked. More recently they acquired SIEM vendor NitroSecurity who had a significant and sustained effort on ICS security. So...

My last post is regarding NERC CIP V5 is the automatic 'Low' classification of Blackstart generation resources that do not meet bright line criteria. The committee cites compliance costs and a potential withdrawal of blackstart resources as the primary drivers for...

Richard Bejtlich blogged "SEC Guidance Is A Really Big Deal" regarding the SEC telling companies they need to disclose cyber incidents and risks. If you read financial statements you are already beginning to see cyber security disclosures along side other material...

EMET v3 was released two days ago and it introduces a most-coveted feature: support for management via Group Policy. EMET is Microsoft's answer to legacy software problems.  It introduces address space layout randomization and other wizardry to legacy...

DNS is probably the second most misunderstood protocol (the first being the control protocol du network), and that needs to change.  I can't claim to be anything close to a DNS expert, but am known to do neat tricks with it now and then. A few years back I was...

DHS Control System Security Program (CSSP) actions in the natural gas pipeline alert get even stranger. They have either bungled helping natural gas pipeline companies to protect themselves or have some risky stratagem to take down an attacker and are willing to...

Guest author Sean McBride is the Director of Analysis and Co-founder of Critical Intelligence, a company that provides Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders. One...

Let's take a closer look at DHS since this is the week of DHS's ICSJWG Spring Conference. Like many, I'm guilty of treating ICS-CERT as if they are THE DHS sponsored organization responsible for ICS security in the US Government. ICS-CERT is part of the DHS Control...

There have been more than a few hysterical articles, also full of hysteria, in the press based on attack information provided by DHS. Wow, a number of large companies have been subject to a spear-phishing attack! ICS specific threat or attack information = 0. This...

ISA99 had a busy, well attended 3-day set of Working Group Meetings this week in Gaithersburg, MD. A lot of work gets done in these sessions, and it's a testament to ISA99 they continue to get this level of participation and effort through many years of work. We hope...

Dan Goodin at Ars Technica pointed out something very curious to me yesterday.  RuggedCom recently took down their 'Customers' page, which includes a list of companies for which RuggedCom is the OEM.  Fortunately various search engines keep caches of these...

RuggedCom was first contacted by Justin Clarke in April 2011 concerning backdoor access to their switches and serial converters.  Late on Friday, they announced that they would remove the account from their devices, and that the change would only take a few...

The big story of the week was Justin W. Clarke's disclosure of an undocumented, remotely accessible backdoor to selected Ruggedcom equipment. But there were other stories. We could link to a wide variety of articles on the US cybersecurity legislative efforts, but...

I'm continuing my review of the NERC CIP V5 standard updates, and discussing what good/bad things I find on DigitalBond.com. This week's focus are Protected Cyber Assets. According to the glossary, a Protected Cyber Asset is: A Cyber Asset connected using a routable...

Last week I wrote about a dream panel of witnesses for the US House of Representatives Committee on Homeland Security hearing titled: America is Under Cyber Attack: Why Urgent Action is Needed. Here is the actual and predictable list: Mr. Shawn HenryFormer Executive...

Maybe Not UPDATE - The vulnerability was found by Justin W. Clarke, an independent security researcher in San Francisco, California. We don't cover most of the ICS vulnerabilities on this site, but the Ruggedcom Undocumented Backdoor Access is a huge risk...

A few months back, security researcher Justin Engler (@JustinEngler) introduced me to a neat toy: the USB Rubber Duck. The Duck is a USB thumb-drive lookalike with a secret -- the hardware is really a microcontroller with a microSD Card interface.  The device can...

Lots of action and disagreement on cybersecurity legislation in the US Government. One of the main ICS security partisan divides is around regulation of the privately owned critical infrastructure. This week the White House chimed in: "National Security Council...

Next Tuesday the US House of Representatives Committee on Homeland Security will have a hearing titled: America is Under Cyber Attack: Why Urgent Action is Needed. The panel who will provide testimony and answer questions has not been announced. If it follows typical...

I've been doing a lot of work that involves the CIP vulnerability assessment process recently, namely while developing the Bandolier R8 Audit Files, and another more comprehensive file set that haven't been released yet.  This week, I had the opportunity to sit in on...

The latest Version 5 of the NERC CIP standards is now open for comment through May 21st. Version 5 adds CIP-010: Configuration Management and Vulnerability Assessments and CIP-011: Information Protection to the existing CIP-002 to CIP-009. The NERC presentation on...

Koyo/Automation Direct has responded to Basecamp and has made many of the right moves.  Yesterday's ICSA-12-102-02 pretty much says it all: Koyo has disabled the device's webserver by default, and they've added a lockout feature to password guessing.  Hosteng.com has...

First a reminder of the goal: The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end. SCADA and DCS owner/operators will demand a secure and robust PLC, and this...

While there were some great talks at AppSecDC, the attendance at their Critical Infrastructure track was not very high.  Critical Infrastructure is a new topic area for the AppSec conference this year and it's unclear if it will survive.  OWASP has a lot of...

On Friday I wrote on why the Stuxnet-type exploit module for the Modicon Quantum was important to show just how easy it is to upload rogue ladder logic. The other big news from Reid's presentation, you can see the slides below, was the introduction of the WAGO IPC...

Reid presented the latest from Project Basecamp yesterday, what he called Camp 4, at AppSec DC. He has done great work in a short amount of time, between the paying projects and I suspect often on nights and weekends. I didn't want to step on his blog article...

DHS released version 4.1 of their Cyber Security Evaluation Tool (CSET). This version adds Visio support for network diagrams. CSET is a good do-it-yourself option for those who can't afford pricey consultants like Digital Bond. I hope to give it a test drive and...

Today Digital Bond released two new Metasploit modules affecting Schneider Modicon Quantum PLCs.  I believe that these only affect PLCs with a "Unity" ethernet card, although I would guess that the exploit could be adapted to other controller types with minimal...

Bryan Owen and Ralph Langner had great comments on our recent NERC CIP, Non-US Utilities and Security article. Here is an extended version of my response and comment. ---------- NERC CIP has certainly provided some useful data points and leads to what I believe are...

I've been wanting to go to the Workshop on the Economics of Information Security (WEIS) for a decade now. This year it is in Berlin so I'm registered, committed with plane tickets in hand for WEIS 2012, June 25-26. Economics of Information Security is still a green...

Sometimes it helps to escape the bubble to get new information and fresh thoughts. Below are three recent information points and four observations on regulation and real security after a long trip outside the US. Some of the observations are not new, but they are big...

Cybersecurity for Industrial Control Systems by Tyson McCauley and Bryan Singer Get the Kindle Edition Auerbach Publications, 203 Pages I had high hopes for this book since Bryan Singer is very experienced in ICS, ICS security and IT security --- and Bryan and...

The ISA 99 Security Committee has been hard at work on writing Security Assurance Levels (SAL) into the ISA / IEC standard. It's been slow going and difficult work, and may prove to be impossible for this committee. The idea of a SAL came from many in the committee...

More information from Japan. As mentioned earlier this week, the Japanese Ministry of Economics, Trade and Industry (METI) has stepped up efforts on ICS security. The trigger was a malware infection spread by email of Mitsubishi Heavy Industries reported in 2011....

Over in Tokyo this week visiting customers and old friends, and it's good to see the level of interest and concern in ICS security is growing. Like the US and rest of the world there still is a long way to go. A high percentage of the Japanese critical infrastructure...

Loyal blog readers should watch last nights 60 Minutes segment on Stuxnet, some of the web extras, and an interesting Overtime segment with Dillon Beresford. You won’t learn much that is new to you, but you will be able to answer questions and comment when your family...

SCADA and DCS foster an engineer hero culture. The plant, pipeline or process is not operating properly. The one or two individuals, almost always guys who have 15+ years experience in the plant, are able to troubleshoot the problem, make a change on the fly, and get...

Four quick and different points to make in this blog: 1. Eric Byres has started a blog series on the very important defense in depth security concept 2. Defense in depth does not obviate the need for proper risk management and addressing major risks Project Basecamp...

A number of loyal readers have been sending in examples of vulnerable, Internet accessible control systems. The example below from Patrick Stave of Norway is representative of what we are receiving. In this case, I 100% agree with ICS-CERT that if you have your SCADA...

The fact that Congress has to deal with DCS and SCADA security for the critical infrastructure is another representation of failure by all in the ICS community, but in the US Government realm primarily by DHS as the responsible government agency. Congress can't be an...

Project Basecamp highlights the fragility and insecurity in most PLC's and provides tools so anyone can demonstrate and prove it. There should be no doubt that after ten years the ICS community needs to deal with this, but how? Part 1 covered what Asset Owners should...

Project Basecamp highlights the fragility and insecurity in most PLC's and provides tools so anyone can demonstrate and prove it. There should be no doubt that after ten years the ICS community needs to deal with this, but how? Part 1 covered what Asset Owners should...

ODVA, the organization in charge of the EtherNet/IP protocol responds to the Project Basecamp Metasploit module and payloads that take advantage of the protocol's lack of authentication to reboot or completed stop the device. It basically says yes this is true because...

Hopefully loyal readers now accept that we need to address the decade old problem of insecure and fragile PLC's/RTU's/field devices, and the Basecamp information and tools provide some additional compelling evidence and demonstrations to prove the point to senior...

More Project Basecamp modules and tools have been released today. The Basecamp reaction has been predictable and disappointing at the same time. The initial furor is over the disclosure, and there continues to be very little anger over the fragility and insecurity...

Written By Reid Wightman Vendors are redSCADA is blueNow everybodycan demonstrate vulnerabilities in controllers As promised, we have more PLC exploits ready to roll in time for Valentine's Day. First, I can't stress enough how much the other Basecamp researchers have...

Written By Reid Wightman I've experienced a lot of cognitive dissonance concerning the Basecamp disclosure and exploit tools release over the last few months.  I might as well explain some more thinking of why doing what we've done is a good idea in the end. I'll...