SCADA Security News

We have put up a Vimeo Portfolio that includes the ten S4x13 videos released to date. There are still a few more to come. You can always find the link to the S4x13 and S4 2012 video portfolios in the right column of the home page.

The US Dept of Energy has an ICS security research funding opportunity. Some of the topics are a bit odd, such as “secure remote access for the energy sector” or “verify the integrity and facilitate deployment of energy delivery control system software and firmware updates”. These are areas that energy and other ICS do poorly, but it isn’t for a lack of proven technical solutions. “Detect compromise of supply chain integrity” and “detect adversarial manipulation of power grid components” are more interesting. And there is the catch all “Innovative technologies that enhance cyber security”. It’s a tremendous opportunity for potential ICS security product companies. Get your proposal in by April 5th, and there are some cost sharing requirements.

On the vuln/exploit front – two researchers at Fujitsu Labs found a vulnerability in VxWorks SSH Server. VxWorks is the most popular OS in PLC’s and other ICS embedded devices. A security patch is available. Also Rapid7 released a Metasploit module for CoDeSys Gateway Server Directory Traversal this week.

Bob Radvanovsky of SCADASEC and Project Shine fame has a post on efforts in Germany and Finland to identify Internet attached control system components.

The smart grid security document, NISTIR 7628, has a revised draft available for review. The page states the revision “does not make sweeping changes, rather just a few areas have been updated.”

The US DHS has released two new documents related to the US Industrial Control Systems Joint Working Group (ICSJWG). A 2013 update to the ICSJWG Guide that describes the organization, and the Cross-Sector Roadmap for Cybersecurity of Control Systems. The documents are available on the HSIN, but they are/will be available on the public ICSJWG page. (I only found older versions of these documents there today).

If you are in the NERC CIP world, FERC weighed in on some NERC interpretations of the regulations. First, FERC disagreed with NERC and said that network wiring must be within a 6-wall physical boundary. And there was another disagreement with NERC’s interpretation on CIP-002-4.

Tweet of the Week

[blackbirdpie id=”315095188425027584″]

Don’t forget to subscribe to this blog RSS feed and follow on twitter.

Worth Reading Articles

Critical Intelligence’s ICS Security Event Calendar Updates

Critical Intelligence provides reports and other information products on  Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Image by chrisinplymouth