Last week Infosec Island published the article, Report Shows Energy Infrastructure Susceptible to Attack. The article discusses a recent report, The State of IT Security: A Study of Utilities and Energy Companies, issued by the Ponemon Institute. Did we really need a...

It's difficult to find hard data in the ICS security realm, so Industrial Defenders' recently published survey provides some welcome data points. The survey is officially titled "Managing Automation Systems: Critical Infrastructure Operators' Challenges &...

Guest author Jason Holcomb is a Digital Bond alumnus who is now a Senior Security Consultant for Lockheed Martin’s Energy and Cyber Services group where he is responsible for providing critical infrastructure security consulting services and integrating ICS security...

Back in September 2011 2010 Ralph Langner had hard evidence that the Stuxnet code was fingerprinting and attacking a specific process in a PLC. After Ralph announced his findings, and we blogged on them extensively, it was weeks before it got seriously picked up...

The Energy Sector Cyber Security Roadmap developed by the US Dept of Energy was well received when it first came out in 2006 and was recently revised. Other sectors saw this and it has led to a Water Sector Roadmap, Chemical Sector Roadmap and various other sector...

ICS-CERT updated their Advisory ICSA-11-094-02A - Advantech/Broadwin WebAccess RPC Vulnerability last week, and inspired us to start our Insecure Products List. The update was short but serious: "Advantech/BroadWin has notified ICS-CERT that a patch will not be issued...

A number of related issues brought up at ICSJWG have been floating around my head in the long flight to Asia: market failure, regulation and the public’s right to know. At ICSJWG a friend reminded me that in his S4 keynote Dr. Ross Anderson said that regulation is...

Previous blog entries have covered Day 1 and the Vulnerability Disclosure Panel. Here is a bit of news from Day 2 and summary thoughts. Summary Thoughts DHS puts on a quality event both in the organization and agenda. It's definitely worth attending if you haven't...

The reason I attended ICSJWG was I had the surprising opportunity to participate in a vulnerability disclosure panel. Surprising because DHS knew I was likely to be quite critical of certain vendors and ICS-CERT. The panelists had ten minutes for a presentation then...

We have been focusing on the Duqu targeting in an attempt to determine what risk, if any, Duqu posed to SCADA and DCS owner/operators. In the last 24 hours there has been more confusion and then some clarity with new bulletins from ICS-CERT and Symantec. Eric Chien of...

<Embarrassing Update: Duqu not Duku, no excuse, corrected throughout blog> The newly discovered Duqu malware and its relationship with Stuxnet and ICS was the big news yesterday. The ICS-CERT Alert is actually concise and informative. It points out that the Duqu...

Who created and used Stuxnet? This would be a big story in the mainstream press and the biggest story in ICS security to date by far. Unfortunately we have nothing but motive and speculation with almost no hard facts on the culprit -- at least publicly disclosed. A...

Terry McCorkle's presentation at DerbyCon, 100 Bugs in 100 Days: An Analysis of ICS (SCADA) Software is available online. He did this research in his spare time with Billy Rios, and it is informative technically and culturally. The research focused on freely...

(Following NERC security is a full time endeavor these days. To that end, digitalbond.com is looking for a NERC correspondent. Ideally this would be someone who follows NERC security as part of their job, has the ability to comment publicly, and has some opinions and...

There was first shock and then sympathy for ICS-CERT Acting Director Marty Edwards’ statement at WeissCon that only software bugs are treated as vulnerabilities by ICS-CERT. The important converse of this statement is any exploitable security weaknesses that are...

Last week two ICS security related offerings were highlighted by Microsoft, one old and one new. Kevin Sullivan suggested again that ICS vendors with legacy applications running on any version of Windows look at the Enhanced Mitigation Experience Toolkit (EMET)....

In 2006, the US Dept. of Energy issued an Energy Sector Security Roadmap with specific goals and milestones. We scored the progress on the roadmap in an earlier blog, and it did drive DoE's research funding and other efforts in the intervening years. This month the...

Italian researcher Luigi Auriemma has released another set of vulnerability advisories and proof of concept exploit code for a variety of ICS products. He is finding overflows on the proprietary services the vendors are writing. You hear often in ICS, "don't scan it...

Dave Teumim's Industrial Network Security, published by ISA, is a very basic, very short book that does a good job of introducing cyber security to an ICS manager with zero security experience. This "book" really is more of a pamphlet. It's 130 pages long with...

RLast week I introduced our Project Basecamp - Hacking PLC's. This will be the Digital Bond paper at S4. There have been a number of questions of what we are doing, why we are doing it, what disclosure process we will follow ... I'll start with the why in this entry,...

Eric Knapp's book Industrial Network Security shipped this month and is also available for the Kindle. It is a tough book to review because the quality and accuracy was very uneven. As compared to other ICS Security books available today, grading on a curve, it...

ICS specific security sales are still a very small market, but today probably the biggest player in that niche, Byres Security, was purchased by Belden. Byres' Tofino firewall and related security technology will most likely reside in the German based Hirschmann arm...

After reminding everyone of the Sept 18th deadline for the S4 Call For Papers earlier today, I thought it would be a good time to provide some details on the Digital Bond paper that will be presented at S4. We are calling Project Basecamp. The Basecamp presentation...

Utility Investment reports that a new Pike Research study, Industrial Control System Security, estimates the ICS Security market to total $4.1B between 2011-2018. Hooray, we are all going to be rich. The article nor the Pike Research site provides detail on how this...

Save your money and don't buy this book. We won't even link to a page where you could buy it. The reason for the worst, 1-star rating is this book is not about SCADA Security. It is a collection of general purpose IT security chapters written by a collection of...

Siemens is a marketing genius (evil genius?). At Black Hat, the mistreated researcher actually thanks Siemens, praises Siemens and lets “Siemens” speak about how much they care about security. I hear rumbling through the crowd that isn’t it great that Siemens is here...

It would have been easy for Ralph Langner to write a first hand book on the twists and turns of the Stuxnet story. Instead, he goes in a completely different direction by writing essentially an engineering practices book, Robust Control System Networks. And it is one...

Back in June, Honeywell's Safety Manager was the first product to achieve ISASecure's Embedded Device Security Assurance (EDSA) certification. It was certified to meet Level 1, the basic level. Level 1 is a significant accomplishment most PLC's and other controllers...

ICS-CERT may be relieved the spotlight has been focusing on Siemens as their performance and information provided in the Stuxnet and Beresford vulnerabilities has been consistently late and of little or no added value. This makes no sense given the quantity and...

Dillon Beresford of NSS Labs finally went on stage to discuss the multiple vulnerabilities he has found in the Siemens S7 PLC's. In Part 1 of the report, I'll go into the details of the attacks as I understand them. Note that Siemens customers are still not receiving...

While significant progress has been made in securing ICS workstation and server components over the last ten years, almost no progress has been made in securing PLC's and other field devices. Now with researchers / hackers of all hat colors, as well as more malicious...

My point: we have multiple Siemens vulnerabilities affecting multiple Siemens products and little clarity from ICS-CERT or Siemens on the totality of the vulns, the impact or the affected products -- or what is queued up and ready to come next as soon as Wednesday!...

Digital Bond released a high interaction / very realistic SCADA Honeynet a few years back. Actually a better name would be a PLC Honeynet because it appeared to be a Modicon PLC. It has a points list with realistic values from an actual PLC that can be accessed via...

Industrial Defender, an ICS security products and services vendor, issued a press release announcing three new security services for power plants: Monitor, Manage and Protect. What is novel about the offering is the pricing model. Pricing is based on the megawatts of...

Michael Toecker started an interesting, if slightly disingenuous, thread on control.com. He asks for approaches to the following problem: You've been experiencing periodic failures of equipment that is important in the reliable and successful completion of your...

I have yet to meet anyone, who is not on the NERC payroll, who believes that the CIP standards are resulting in anything close to effective and efficient improvement in the bulk electric system's security posture. (Even ex-NERC and regional entity employees who were...

Yesterday Dillon Beresford announced and ICS-CERT confirmed that the Siemens' S7-200, S7-300 and S7-400 families of PLC's suffered from the same replay vulnerability as the S7-1200. Siemens had not announced this even though they have had the information for over two...

This week I'm teaching our updated three-day course on Control System Security for Control System Engineers for a client. One thing I learned from my experience teaching at Infosec Institute more than five years ago is it is very hard to make an interesting course for...

This week Siemens held its Automation Summit in Orlando, and security was heavy on the agenda. In an earlier blog I took to task Byres, Langill and other security guru's, really top notch talent, for providing cover to a poorly performing vendor by attending,...

The Iranian Supreme National Security Council has called for the "International Atomic Energy Agency (IAEA) to form a fact-finding committee to detect agents involved in nuclear terrorism and operation of Stuxnet computer worm to attack nuclear industry". The majority...

My Point: The ICS vulnerabilities being found and trumpeted have little impact on SCADA and DCS that run the critical infrastructure. Somehow we need to get the increased effort to identify vulnerabilities focused on the critical ICS applications and components....

We are hearing more and more that a particular security control is inadequate or not worthwhile because "it would not have stopped Stuxnet". This has come up in numerous comments on this blog and in other places, such as my friend Jake Brodsky's blog entry. If we are...

My point -- we, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data sent...

While acting with the best of intentions, DHS and Siemens persuading Dillon Beresford to drop his talk "Chain Reaction: Hacking SCADA" talk at Takedown last month has backfired. My favorite tweet on the subject is: This is so true, like the "coverup is worse than the...

A significant percentage of ICS owner/operators use SecurID tokens for strong, two-factor authentication for remote access. Similar to the IT space, it has the largest market share by far. With the recent hacks of RSA and Lockheed, it is time to reconsider if you can...

Digital Bond performed its first SCADA security assessment in 2000. The 9/11 attacks that supposedly changed everything in critical infrastructure security occurred in 2001. Yet as we have chronicled in this blog, the ICS community as a whole is still amazingly...

In 2008 DHS issued the first edition of Common Cybersecurity Vulnerabilities in Industrial Control Systems based on 15 ICS security assessments of either products or deployed systems they performed from 2004 to 2008. They just released an update to this document that...

Trying a new, blunt method of communication because numerous blog entries, presentations and papers just aren't getting through. Please read and reread the following paragraph: If you have network access to almost any PLC, RTU or other type of field device, then you...

The Senate Committee on Homeland Security & Government Affairs held a hearing on the recent White House legislative proposal on Cybersecurity. Pay attention to this as it would have a big impact on the most critical infrastructure, and there have been efforts to...

Yesterday Dillon Beresford cancelled his talk and demonstration titled Chain Reaction: Hacking SCADA at the Takedown event after a discussion with DHS and Siemens. Wired has an article with the details which includes the Beresford quotes “Based on my own understanding...

Last week President Obama provided a legislative proposal on cybersecurity with a potentially large impact on the ICS community. Actually it is a number of legislative proposals in a single document. A portion of it covers government "evaluation" of critical...

We have been early and big fans of SCADA virtualization for servers and workstations. Not for the server consultation consolidation benefits that drive most IT virtualization projects. Control systems have a surprisingly small number of servers and workstations so...