Last week cyber security legislation failed in the US Senate. This week the Obama Administration is putting the word out that they may implement the parts he believes are critical through Executive Order. Our view is that DHS has all the authority they need to make a...
I’ve been looking over the NERC CIP v5 lately, because of a few discussions I’ve had over the past week. Mainly, it’s been the compliance requirements for the 1500 MW Critical Generation cutoff point and the design concept for what is called a...
The article last week on Information Sharing – What Do You Want? generated some interesting discussion on and off the site. Info sharing proponents named some of the information they wanted. I’m tempted to use the overused analogy of “rearranging the...
The Cybersecurity Act of 2012, S 3414, died in the Senate this week, although they could try again after the recess. No great loss. It wasn’t going to pass the House, and it wouldn’t have made a difference in ICS security. Jeffrey Carr over on the Digital...
Call me an information sharing skeptic. The first truth of information sharing is organizations and individuals only share information if it is in their self interest. This dooms most information sharing efforts because members are in receive only mode. A second...
As the US Senate Bill 3414 gains momentum (although I’m still unsure why this is a big story until we hear of corresponding House action), it’s worthwhile looking at the sales effort around the proposed law. What we are seeing in public is likely a small...
We will have an article next week summarizing the Black Hat, BSides and Defcon ICS related papers. So far the most interesting items are Ruben Santamarta’s backdoor in the Schneider ION smart meter and two tools that test and hack optical ports on smart...
There is a new version of the PwniePlug, which was previously reported on by Dale. This model comes in surge-strip form factor. This project is interesting for a few reasons. First, the PwniePlug/SheevaPlug/etc devices have always turned me off a little as...
Last week I hinted at a vendor which included internal source code repository information in their firmware. I contacted the vendor and am told that the secret password has been changed, so it’s time to talk about it. When I went hunting for NTP appliances...
A lot’s happening this week in ICS vulnerability handling and a lot of it is positive. 1. ICS-CERT Takes Control I have been critical in the past of ICS-CERT’s letting vendors determine when a vulnerability is disclosed. They have changed their policy....
