ICS Security News

The big news of the week is Industrial Defender will be acquired by Lockheed Martin. Terms of the acquisition were not disclosed; it would be very interesting to know how an ICSsec product is valued in the market. Industrial Defender, formerly known as Verano, was one of the earliest entrants into ICS security products and services. Over the past decade they have gone through funding rounds and bounced between strategies of products, managed services, consulting and back again. In recent years they greatly improved their marketing efforts and focused on their Automation Systems Manager (ASM). A major achievement was the partnerships with ABB, Elster, Itron and Schneider Electric around the ASM. While the partnerships are important and valuable, the key to the success of the acquisition will be how well that ASM was developed for expansion and long term support.

Adam Crain released his open source Aegis fuzzing framework. This was the tool he and Chris Sistrunk used to find the DNP3 protocol stack vulnerabilities.

Reports are that Japanese Prime Minister Shinzo Abe will submit a bill to the Diet to formalize the role and legal authority of the National Information Security Center (NISC).

The New Zealand National Cyber Security Centre (NCSC) released a set of Voluntary Cyber Security Standards for ICS. They are based on the US NERC CIP standards, and anyone familiar with CIP will recognized the organization, formatting and text. Many would say NERC CIP is a bad set of documents to follow, but the key difference is the NZ documents are voluntary. Originally the CIP standards were going to be voluntary, and they actually do a good job of covering an ICS security program. It would likely be quite effective if an asset owner used NERC CIP or the NZ documents as a means to putting together a security program. It was the shift to using the NERC CIP standards as regulations where the good work started to fall apart in my opinion.

FERC ordered NERC to develop and submit a standard “to address physical security risks and vulnerabilities related to the¬†reliable operation of the Bulk-Power System” … and NERC needs to do this in the almost impossible time period of 90 days. As usual Tom Aldrich covers the issue well. This is the FERC response to the shooting of the PG&E substation.

Image by TooFarNorth