I was a little late catching it, but Richard Bejtlich made a post titled “First They Came for Bandwidth…” over on his TaoSecurity blog last week that is worth reading. He argues that one of the problems with being in a defensive position with regard to security...
Dale posted an introduction to Bandolier a couple of weeks ago. I am increasingly excited about the value of this project. We are working with asset owners and vendors to identify a hardened configuration for twenty control system applications. We are then developing...
A few years back, the traditional IT world was debating the merits of virtualization. There were concerns about performance, security, vendor support, and a host of other issues. Fast-forward to today, however, and you’ll find virtual machines in use in nearly every...
When the NetDDE share vulnerability in Wonderware’s InTouch 8.0 HMI was announced by US-CERT, we noticed that most dismissed it as just typical control system weak permissions. The same as commonly seen in OPC DCOM configurations. However, the true impact of a...
Alan Paller of SANS has been talking about cyber extortion attempts of utility companies for over a year now, and we now have Tom Donahue, a CIA-rep, on the record. “We have information, from multiple regions outside the United States, of cyber intrusions into...
Today FERC approved the NERC/ERO CIP cyber security standards for the electric industry. This was the right decision to avoid derailing progress. What is most impressive are the comments in the press release and final rule. They directed modifications and...
Ralph Langner, one of the bright lights in the European SCADA Security community, attended the CCC annual meeting in Berlin right before the new year. There was a Hacking SCADA presentation. Begin Ralph’s Report The Chaos Computer Club’s annual meeting is...
Here is our list of the top ten stories rated by immediate and expected long term impact on the community. 1) Aurora An easy choice for number one. Even though we have had both control system and IT experts give apocalyptic quotes for years on how they could easily...
Saga may be overstated since the process did not take that long, but it was a classic example of why we don’t agree with leaving disclosure decisions up to the vendor – – or the researcher. Our approach is to let a coordination center, US-CERT in...
