Jason is spot on in his last post on default and easily guessed passwords. Extending Jason's rant a bit here . . . passwords don't work. This isn't news; we all live with the problem and have our own work around because humans can't remember large numbers of...

ISA99 is one of the oldest and prolific control system security standards groups. They published the first quality technical reports on the topic, and have an ambitious 14 document work plan depicted at the bottom of the post. The working groups are gaining members...

Yesterday the Senate Homeland Security and Government Affairs Committee held a hearing on Securing The Critical Infrastructure in the Age of Stuxnet. There were four panelists and here were my notes: Sean McGurk - DHS Acting Director, National Cybersecurity and...

I wrote the blog below last weekend and didn't post it because maybe we were suppose to know the article was a press release even though it looked like an "article". Today I received the same article in an Automation World News Insights email newsletter. This is...

As the year starts to wind down we've been pleasantly surprised at how much progress many owner/operators have made in their security posture. The plants and SCADA systems that have made the most progress have devoted manpower to security. They have people...

Asset owners want DCS and SCADA security to be at least straightforward and preferably easy, especially when safety and security guys get together. Safety systems have a Safety Integrity Levels (SIL) that specifies the expected dangerous failure rate. So if a system...

Almost without fail, vendors mishandle their first contact with a security researcher who has found a vulnerability in their product. This problem is not unique to control system vendors, and there are many tales of mishandling including the well documented Core...

The change in terms from "responsible" disclosure to "coordinated" disclosure is welcome and wise. The various parties involved, vendor, user, researcher, CERT, will rarely agree on what is "responsible". Maybe there is some agreement at the edges, but determining...

In case you missed it, ICS-CERT issued an advisory about using SHODAN for identifying SCADA components connected to the Internet. The advisory covers the issues and the IT news outlets are picking up the story as well. Rather than echo that information or complain...

The concept of information sharing among a community of vetted users is appealing - - and it has been tried numerous times. Back in the '90s when InfraGard started membership grew quickly at the promise of getting threat and attack information from the US Government....

My previous blog on Version 2 of the WIB Security Requirement for Vendors reads a bit like a security assessment report. While it highlights some positives, most of the details are on the deficiencies. To be clear, it is one of the better documents in this space and...

I was tough on ICS-CERT's performance on Stuxnet in an earlier post. Now ICS-CERT is reaching out to a number of people in the control system community, including Digital Bond, to get some candid feedback on what they need to do differently or better. There is likely...

Back in April we reviewed Version 1 of the WIB/Wurldtech/Shell Process Control Domain - Security Requirements for Vendors. While it was a useful guideline document, it had major problems that needed to be solved before it could be used for a vendor certification...

Ralph has an open letter to Symantec up on his site. While I've been known to point out a failure from time to time in this blog, I think in this case Ralph is unnecessarily rough on Symantec who has done fantastic work on Stuxnet. However if you ignore the "You fail...

If you have been thinking ISA 100 is the future wireless standard for control systems, you must read Walt Boyes analysis that the battle is over and Wireless HART has won. The tone and tenor of presentations I have been hearing for years is that ISA 100 is ready for...

I learned via @jimcahill of Bob Huba's presentation on a new smart firewall offering at the Emerson Delta V Global User Exchange and was eager to learn more. An article on ControlGlobal has limited details on it, but more interesting was the step back in time by...

Jason touched on the growing frustration with NERC CIP, and the realization that in many ways the CIP mandated compliance focus is actually impeding security progress. Joe Weiss has led the charge that CIP should be replaced with NIST SP800-53, but this comes as the...

Symantec posted yesterday the definitive analysis of Stuxnet to date. It's long, detailed, easily understood and overall a fantastic piece of work. Evidently they were holding this detail for a conference on the 29th and even more detail will be available in a white...

One more Stuxnet post before we move on. A few different issues and thoughts to cover so I'll number them. 1. ICS-CERT Failed The Biggest Test Yet The community expected ICS-CERT to lead not follow far behind in informing us about control system security...

Ralph Langner has posted even more technical data on Stuxnet, breaking down the technical info so it can be more easily understood. For example, "if the return from FC1874 is 'DEADF007", original code is skipped". He also theorizes the target is the Iranian Bushehr...

This is going to be a Stuxnet week with more information and some larger issues, opinions and questions to follow. How did Ralph Langner and his team determine Stuxnet was targeted at a specific target and process? Well first of all it helps a great deal to have...

You can’t wrap fire in paper. Once the Stuxnet malware was available, it was only a matter of time before someone dug into the code and figured out what it did. Ralph Langner and his team are the best I know on the Siemens’ gear and protocol. It was fascinating to get...

People want a certain and definite solution to a problem, including security. Take these seven steps and you will be secure. Run this tool and you will find all vulns. Buy a product with this certification and you will not be compromised. Unfortunately security...

A small number of vendors are promoting unidirectional network security devices, most notably Waterfall Security Solutions from Israel. [FD: Waterfall has advertised on digitalbond.com] To their credit Waterfall has doggedly pursued the control system security space...

How many of you have downloaded NISTIR 7628: Smart Grid Cyber Security Strategy and Requirements, saw it was 305 pages and put it aside? Maybe you even waded into the first ten to twenty pages and read a lot of general statements and gave up. Well if you have some...

Some of the post Stuxnet discussion, and even much before it, has the premise that we need to improve security so this type of attack can never be successful. That if we just all do the right things control systems will be impenetrable. When we see unpatched systems,...

Patrick Coyle writes the Chemical Facility Security News blog and tweets @pjcoyle. His blog is my go to resource for all things chemical security, and Patrick also does the hard work of tracking all of the control system security legislation. Patrick was kind enough...

The Siemens response to Stuxnet has been like a roller coaster. It started diving low with limited information and bit of blame shifting as most organizations facing a vulnerability for the first time do. [Siemens is huge and obviously other parts of Siemens are well...

HD Moore recently published a blog entry highlighting some serious vulnerabilities in VxWorks - - an operating system used by a number of field devices in SCADA and DCS. What does and doesn't this mean? This has little or no impact on the security of control system...

Joe Weiss has been been conflating Cyber Incidents with Cyber Security Incidents for a while now, primarily by leaning on the NIST FIPS-200 definition of an Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or...

Last week I attended, presented and tweeted at the Dept of Energy Cybersecurity For Energy Delivery Systems Peer Review. The idea is DoE funds all these research projects, and they would like a group of owner operators and other industry guru's to help determine if...

Pay attention to the P in Advanced Persistent Threat [APT]. Most of the attention paid to the trojan with a payload targeting Siemens control system applications has been on the Advanced nature of this malware. And that attention is warranted because there has not...

Joseph Kelliher was the Chairman of FERC from July 2005 - January 2009 so he had a front row seat to the NERC ERO / FERC / Congress issues and enough time to get perspective from outside the FERC bubble. On April 28th he gave a speech at an Energy Bar Association, and...

A few thoughts on the Perfect Citizen project by NSA. First, it is unclear what Perfect Citizen is. The news reports said the program would places sensors in the critical infrastructure to detect cyber attacks. NSA says "Perfect Citizen is purely a...

A common fault in control system security programs is in recovery of cyber assets. The redundancy gives a false sense of security, and the questions "can you rebuilt this server" or "when was the last time you rebuilt this server" often go back to the vendor initial...

The Economist Magazine has a 2744-word cover article on "Cyberwar". Like most articles in this publication it is balanced and presents the issues well. They have both Richard Clarke with his alarms and Bruce Schneier calling scaremongering. There is nothing that...

Protecting Industrial Control Systems From Electronic Threats by Joseph Weiss 7 Word Review - Missing: a quality editor. Pass on this. Joe Weiss's, one of the pioneers in control system security, attempt at writing an overarching book on control system security is...

NERC has just issued the first Clarification Application Note [CAN] related to the CIP standards. The CAN process should be very helpful for owner/operators, vendors and auditors by removing some of the interpretation on what the standards mean and require. That said,...

Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on...

Matt Olney from Sourcefire has a lengthy editorial on the Lieberman-Collins Protecting Cyberspace As A National Asset Act. I haven't read the 197 page bill cover-to-cover, but did glance at the sections that Matt highlighted in his editorial. What was a bit jarring...

ISA's ISASecure has been working on an Embedded Device Security Assurance certification. We have previously reviewed, see links at the bottom of the post, the Functional Security Assessment and Software Development Security Assessment documents that represented two...

If you don't have the time to read a 120 page report, take a quick look at the 19 report overview slides. A true, directed cyber or blended attack is what makes risk management for control system cyber security so difficult. Talk to an moderately skilled hacker with...

We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications. Recently Daniel spent a couple of days black box testing a widely used control system application...

We could be looking at highly successful Smart Grid program results that are viewed as failures because of improperly set expectations. Let me explain. After Distributech in March, I blogged some thoughts on where Smart Grid stood and what the future might bring. It...

Loyal blog readers know we have been talking about and tracking the increased use of cellular modems in SCADA systems. These are often accessible from the Internet, almost always accessible by other users with service from the same cellular company, and so far always...

That was the question Ralph Langner asked in a comment on a Friday News and Notes item, and then he and Michael Toecker had an interesting back and forth. Here is my two part answer. 1. Because when you have an IP network, a small segmented island can intentionally or...

Code signing is a security feature that has been around for quite some time, and has been proven in many other areas, but is uncommon to find it in any control system component and very rare to find in control devices where firmware uploading is an important...

Earlier blog entries talked about the ISA Embedded Device Security Assurance Certification and the validation methods for the Functional Security Assessment part of this certification. In this entry I'll review the as yet unpublished validation columns in the Software...

I recently reviewed the two published drafts for the ISASecure Embedded Device Security Assurance Certification and had a number of comments on how easy or hard it would be for third party testing of the requirements. Since that review ISASecure was kind enough to...

I’m about to touch the 3rd rail of control system security - - Joe Weiss. I can’t tell how many times at industry events, dinners, conference calls or any other gathering in the community people, a portion of the conversation turns to griping about Joe. The catalyst...

John Saunders with the National Defense University has been one of the most active participants in the control system security education and workforce development area. After seeing him again working on these issues at ICSJWG I wanted to get his view on the best way...

Byres Security and Invensys have announced a Tofino Firewall module for the Triconex Safety System. It looks an industrial device and has similar environmental specs, -40 to 70C, Class I Div 2 and Zone 2 approved. What is new about this product is OPC application...