The idea of ICS security metrics is popular, but actual measurable metrics are rare. The ISA99 committee is tackling this hard problem with Technical Report 62443-1-3 System Security Conformance Metrics, now out for ballot. Section 4.2 Metrics Development Checklist is...
Positive Hack Days in Moscow had a cool Critical Infrastructure Attack contest. “The contest’s participants will have to deal with a thermal power station, transport and city illumination systems and also with cranes and industrial robots.” Looking...
The January – April 2014 edition of the ICS-CERT Monitor was chock full of interesting facts and factoids. Here is what caught my eye. Internet Accessible Control Systems Facts – Three examples of Internet accessible control systems are described. The...
President Obama tasked NIST with creating a Cybersecurity Framework (CSF) to help secure the critical infrastructure. NIST released Version 1.0 of the CSF on February 12th. We have had a chance to dig into the CSF and even use it in a few consulting engagements, so...
Tofino’s response to Windows XP end of life reminds me of Maslow’s Hammer: “I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” These industrial firewalls have their place, and we have...
Digital Bond is bringing S4 to Tokyo this October, and we are looking for excellent sessions for the two-day event. The event will be held in English and Japanese with simultaneous translation as appropriate. We welcome your session proposals in English or Japanese as...
Another ICS security acquisition this week – GE buys Wurldtech. Wurldtech is known most for their Achilles fuzz testing tool and certification. It was an early entrant in ICS fuzzing and has strong relationships with Shell and other asset owners and vendors in...
The President/CEOs of the American Public Power Association (APPA), Edison Electric Institute (EEI), and National Rural Electric Cooperative Association (NRECA) felt a recent WSJ article critical of the electric sector’s cyber security “warrants response...
The Department of Energy issued an update to their Cybersecurity Procurement Language for Energy Delivery Systems. Useful document if you are working on an ICS RFP. Will they develop an Appendix that will map the requirement statements to NIST CSF sub-category...
Stephen has been busy cranking out the Project Redpoint Nmap enumeration scripts for ICS applications, devices and protocols. The latest we have made public is a NSE to identify and enumerate EtherNet/IP devices. EtherNet/IP is used in the Logix family of Allen...
