When stories about Internet based attacks on control systems, like the 60 Minutes story, appear on sites like Slashdot, most people question the need to attach the control network to another network. In my previous position at a National Laboratory, I have seen...
I wanted to wait to hear the reactions to the segment on 60 Minutes before commenting. If you missed it, see it here or read the transcript. Here are a few thoughts on the story. It is probably a net plus because 60 Minutes reaches an audience that might not be aware...
One of the reasons I went to ISA Expo in Houston last week was to try to get a fix on what ISA 99 was up to and whether it continued to matter. Historically, ISA 99 was one of the early movers in the control system security standards and guidelines space. Their first...
Someone needs to tell me where the downside is with products like CoreTrace Bouncer. I’ve tried to be skeptical of application whitelisting but the more I see, the more I like it. Recently I had the opportunity to see Bouncer demonstrated on a Yokogowa Centum...
A few weeks back while discussing some planned Nessus updates and Bandolier, I said what matters is value and improved security for your control systems, not just running a scan. There are a variety of reasons why you might want to scan your control networks but...
After working on a few factory acceptance tests for SCADA and DCS implementations, I have some suggestions for the process as it relates to security, and particularly security configuration testing.. They can be roughly categorized as suggestions for the vendor, for...
I attended a half day workshop on Vulnerability Disclosure — yes there is no permanent escape from this topic. But after taking some time off and listening again I may have had an epiphany. Let’s go back to the beginning with IT vulns, why were...
In a world of remotely exploitable vulnerabilities and inherently vulnerable protocols, permissions on a control system server may seem insignificant. With 20+ Bandolier security audit files under my belt, though, I have a different opinion. Think about all the...
Just a quick update on the happenings here at Blackhat. The good news is that this year the quality of the presentations seems to have improved, or maybe I’be just gotten better at choosing interesting sessions. Most of the research that had a direct...
Effective information sharing about vulnerabilities, security incidents and other security issues is a hard problem. Most owner/operators are reluctant to share anything that could make them look bad or worse, but these same asset owners see the benefit of receiving...
