Friday News & Notes

We have put up a Vimeo Portfolio that includes the ten S4x13 videos released to date. There are still a few more to come. You can always find the link to the S4x13 and S4 2012 video portfolios in the right column of the digitalbond.com home page. The US Dept of Energy...

S4x13 Video: WinCC Under X-Rays by Sergey Gordeychik

Sergey Gordeychik of Positive Technologies presents in 45 minutes a large number of vulnerabilities in WinCC at S4x13 — yes the WinCC of Stuxnet fame. There are also some findings on the S7 PLC’s. The work is part of the impressive SCADA Strangelove...

Disconnect: Defunding EnergySec/NESCO & Promoting Info Sharing

EnergySec experienced an unhappy holiday season last December as a significant number of the employees were let go, reduced their hours, deferred pay or shifted to unpaid volunteer status. These were people at all levels of the organization from the CEO, who included...

NERC CIP Version 5 Background

Chris Jager is a freelance security consultant who is always looking for interesting projects related to NERC CIP or ICS cybersecurity. In this four-part guest post series, he’ll go over changes to the NERC CIP standards and challenges facing the industry as they...

Friday News & Notes

Kelly Jackson Higgins has a Worth Reading article on ICS-CERT. The common line of defense of ICS-CERT is a CERT only does coordination, and we should not expect more. I’m glad that Kelly included ICS-CERT’s mission verbatim in the article. What really has...

Training: Cyber Security for Power Generation

There are a number of very good general ICS security courses available, such as Red Tiger, SCADAhacker, UtiliSec or the INL courses. We thought we would try a course aimed at a specific type of control system with the hope of providing more tailored, understandable...

Ralph & Dale at ICS Security Salon – Munich

Loyal blog readers probably have figured out that I have tremendous respect for Ralph Langner. We have had the opportunity to discuss ICS security issues at S4 and via email for years, and in recent years find ways to go hiking (true SCADA Security Summits) and...

The Scary No-Motive Defense & Offense x 13

I’m often asked by reporters if ICS are so insecure why there have been no dramatic and devastating impacts of ICS cyber attacks. The only answer I have is that the consequences to the attacker if they are caught have exceeded the reason or motive up...

How DHS Can Best Help ICS Security

Information sharing is a key component of President Obama’s Executive Order with emphasis on sharing information on threats and incidents. With the current insecure state of ICS, the value of this information is limited to the question IF we should start to...

DHS OIG Review of ICS-CERT & DHS

The DHS Office of Inspector General released the report DHS Can Make Improvements To Secure Industrial Control Systems on Valentines Day. After US Defense Secretary Leon Panetta recently focused on critical infrastructure attacks in his “Cyber Pearl...