Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on...
Matt Olney from Sourcefire has a lengthy editorial on the Lieberman-Collins Protecting Cyberspace As A National Asset Act. I haven’t read the 197 page bill cover-to-cover, but did glance at the sections that Matt highlighted in his editorial. What was a bit...
ISA’s ISASecure has been working on an Embedded Device Security Assurance certification. We have previously reviewed, see links at the bottom of the post, the Functional Security Assessment and Software Development Security Assessment documents that represented...
If you don’t have the time to read a 120 page report, take a quick look at the 19 report overview slides. A true, directed cyber or blended attack is what makes risk management for control system cyber security so difficult. Talk to an moderately skilled hacker...
We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications. Recently Daniel spent a couple of days black box testing a widely used control system application...
We could be looking at highly successful Smart Grid program results that are viewed as failures because of improperly set expectations. Let me explain. After Distributech in March, I blogged some thoughts on where Smart Grid stood and what the future might bring. It...
Loyal blog readers know we have been talking about and tracking the increased use of cellular modems in SCADA systems. These are often accessible from the Internet, almost always accessible by other users with service from the same cellular company, and so far always...
That was the question Ralph Langner asked in a comment on a Friday News and Notes item, and then he and Michael Toecker had an interesting back and forth. Here is my two part answer. 1. Because when you have an IP network, a small segmented island can intentionally or...
Code signing is a security feature that has been around for quite some time, and has been proven in many other areas, but is uncommon to find it in any control system component and very rare to find in control devices where firmware uploading is an important...
Earlier blog entries talked about the ISA Embedded Device Security Assurance Certification and the validation methods for the Functional Security Assessment part of this certification. In this entry I’ll review the as yet unpublished validation columns in the...
