The recent approval by Wurldtech for Schneider to self certify their products as meeting Achilles certification requirements was enough of a push to put up a replacement to the Siemens / Stuxnet counter as Reid has been suggesting for months. The counter debuts at a...
Close Up Gendai is a long running, serious and popular program on Japanese national television station NHK. The audience tends to skew older, but everyone in Japan knows Close Up Gendai. So we were pleased to cooperate with the NHK crew when they wanted to do a...
I wrote recently about Pacific Northwest National Labs (PNNL) “assessment” of McAfee’s security products applicability for Energy Sector ICS. I called it a love letter and questioned how a National Lab or any other firm that does an assessment could...
The closing session of the Workshop on the Economics of Information Security (WEIS) was a very interesting debate between Dr. Ross Anderson and Bruce Schneier on the topic of spending on information security. Ross argued that we don’t spend enough, and Bruce...
An injurer (company) first balances expected cost of harm with the cost of prevention. This morning at the Workshop on the Economics of Information Security (WEIS) was devoted to privacy. This is an area that was not historically important in ICS, but privacy is a...
My hope in attending WEIS is to learn of new methods for applying security economics to the ICS world. One area of interest is a model to explain the increase in ICS reported vulnerabilities and predict and profile future vulnerabilities. Two models were raised in a...
Patrick Coyle posted over the weekend that ICS-CERT has updated their “Internet-connected control system” bulletin, first posted in January 2012. The update points out additional control systems vendors and rightly shows the concern that default passwords...
I’m in Berlin preparing to attend the Workshop on the Economics of Information Security (WEIS). ICS owner/operators act in their own best self interest. This is rational behavior for any person or organization. Owner/operators that don’t spend money on ICS...
Patrick Coyle correctly takes WAGO to task for providing the remediation advice of disabling EtherNet/IP and the web interface if not used. They didn’t fix the vulnerability, and it took them five months to put out this advice? Actually, ICS-CERT put out that...
Few things beat patching, yet on industrial control systems patching is often delayed and delayed and delayed until some event forces the owner’s hand. Antivirus is often used as a stop-gap measure to delay patching. This is often not a very good approach....
