It is so disheartening. Secure By Default is a straightforward and critically important security concept. The default settings for a device or application should be secure settings so an administrator must turn off security to weaken rather than turn on security to...
The headline on this blog is hardly shocking, but software quality does not get enough attention in the control system community. We now have three strong data points that show all OPC servers are not created equal. 1. The latest is Landon’s work to verify...
There’s been a delay in releasing the final paper of the three part OPC Security Whitepaper series as the paper has been going through some extensive testing. Our initial testing was with a limited amount of servers as a large amount of OPC servers exist and...
Discussions with Joe Weiss and reading his recent blog entry have me thinking. While I don’t agree with his assessment of the value of the current CIP standards as written, he might be on to something with potential disharmony between FERC’s expectations...
A few new fronts are emerging in the battle between physical and logical separation of SCADA WAN’s. When we perform assessment and architecture projects we always ask if there are any new applications or changes expected in the near future. Increasing we hear...
We are increasingly running into situations where asset owners are cobbling together multiple security controls to do unnecessary and risky functionality they would never consider in the past. The most common example is providing the ability to manage and configure...
I’m prepping for my podcast interview with Joe Weiss on security awareness in control systems and came across one point that didn’t make the cut, but is still interesting. Some people in the community get very upset when SCADA is used as a term to cover...
Assessing the security posture of an asset owner’s SCADA or DCS typically does not involve looking for new, zero-day attacks. Instead, it focuses on identifying protection against known vulnerabilities, as well as good practice configuration and implementation,...
This is a fascinating real world case study and example why protocol stack security and reliability is so important. From a NRC report dated April 17, 2007: On August 19, 2006, operators at Browns Ferry, Unit 3, manually scrammed the unit following a loss of both the...
Many SCADA and DCS vendors are integrating their applications with Microsoft’s Active Directory. There are some benefits to this: Control system vendors no longer need to develop and maintain user management system and other directory services (typically not a...
