As Jason Holcomb noted on this blog a few weeks back, there is a growing interest in apply the practice of whitelisting to control systems. In whitelisting a set of known “good” applications is created and maintained, and only applications from that list...
There is a dangerous theme I’m hearing more and more from a variety of sources that every possible risk must be reduced immediately, right now. And if you are not doing this Mr. Asset Owner you are in security denial and being irresponsible. First this is not...
I’ve talked to a few people recently who have control system security responsibility but are on a very tight or non-existent budget. Some things, like the network taps that we discussed recently, do have significant cost but there are many basic security steps...
Ralph Langner, who is on our top ten list, always has some interesting tools or information when we talk. Recently he showed me an application Langner Communications uses when having difficulty convincing asset owners they should worry about security. It is a simple...
It’s always a pleasure to talk with Ralph Langner of Langner Communications at S4. He is a leader and independent control system security voice in Europe. Ralph has developed some interesting tools to demonstrate vulnerabilities and lack of security that I hope...
As most of us know, yesterday hundreds of thousands of people converged to witness the swearing in of the 44th president of the United States, Barack Obama. My television was on in the background yesterday, and my radar couldn’t help but pick up on some of the...
Oracle released 41 security patches this week for a variety of their products. Ten of the patches were for the Oracle database – – that by the way is used in many SCADA and DCS servers. We have seen great progress with vendors testing and certifying...
Based on the reviews from early adopters, the Bandolier security audit files exceeded many expectations in 2008, including my own. We have received some very encouraging feedback from vendors, asset owners, consultants, and even our own assessment teams. With each new...
Embedded device security is a topic that many will dismiss, in favor of more popular security concerns. I can understand this, to a certain extent, because mainstream press and information outlets often do not cover embedded security. They are focused on the more...
The gist of discussion on my earlier blog on the “Relative Security of the ARM vs. x86 architectures” can be summarized in two bullets. 1. It is interesting that at least theoretically, a proper Harvard Architecture based chip might provide a better...
