Friday News & Notes

Slow summer week IntegraXor became the first ICS vendor to offer a bug bounty (that we are aware of). The bounty is software licenses not points … “We do not pay out monetary reward but only pay off I/O point to use our software license.” This...

Unsolicited Response Podcast: Siemens S7 Security Features

Loyal blog readers know that PLC security is a focus of Digital Bond and a passion of mine. The proponents of defense in depth are selling a mirage if the critical endpoint can’t be secured. Project Basecamp and other researcher disclosures have made this...

Friday News & Notes

This week the third workshop trying to put together a US Cybersecurity Framework as required by President Obama’s Executive order was held in San Diego. You could grab some of the flavor by following #NISTCSF or spend more time watching the webcast. I have yet...

“Ultimately, none were successful”

The spring edition of the ICS-CERT Monthly Monitor’s lead story is “Brute Force Attacks On Internet Facing Control Systems”. It got picked up by a large number of the mainstream press including the Wall Street Journal. Author Rachel King points out that according to...

So You Want to Be A CIP Consultant….

Between confusing standards, odd implementations, lack of security capability from control systems, and the craziness of The Audit, NERC CIP is not a field for the faint of heart. I’ve been doing work in this space for 8 years now, and I don’t pretend to...

Project Basecamp: CoDeSys Phantom Security

This work, and slightly edited blog post, is from a new Project Basecamp researcher that prefers to remain behind the scenes. We welcome any researchers to join the Basecamp team. One of the most interesting “products” in Project Basecamp was CoDeSys,...

ISA99 on Security Patching in ICS

ISA99 continues to churn out quality security documents. Some are written to be ISA/ANSI/IEC standards and others are Technical Reports for guidance. Recently a draft of ISA-TR62443-2-3: Patch Management in the IACS Environment was released for review. Loyal readers...

Friday News & Notes

ICS-CERT issued an Alert based on Terry McCorkle and Billy Rios work on the security of medical devices. Not surprisingly they found hard coded passwords in hundreds of devices. But what action are we to take with this Alert, and what is DHS doing beyond coordinating...

Assante Counterpoints on People, Process & Technology

Guest author Michael Assante is President and CEO of NBISE, an organization focused on improving the cybersecurity workforce. Michael’s career has included ICS security roles with an asset owner, national lab and as the CSO for NERC. I enjoyed reading your post...

Friday News & Notes

The ICSJWG Spring Meeting was cancelled, purportedly due to the sequester. ICS-CERT has published the presentations and papers that were submitted for the event on their site. No news yet on a potential fall meeting, but planning should be beginning now if it is going...