Here is our list of the top ten control system stories for 2008. 1. Vulnerabilities Discovered by Non-Control System Company Core Security and others outside of the control system community started testing freely available demo versions of control system applications...
Bill Gross has an interesting comment on Jason’s regulation post. Here is the key excerpt: To that end, you would see the virtual elimination of security flaws in systems if you target you regulation in a way that:1) Makes vendors accountable for financial...
I finally had a chance to read through the Center for Strategic and International Studies [CSIS] paper on Securing Cyberspace for the 44th Presidency. This group appears to have some clout so some of the recommendations may come to pass. Still mulling the...
Let’s get this out of the way application whitelisting does not equal perfect security. But neither do any of the other host-based security products that are competing to get on your control system servers and workstations. The bloated AV programs that do...
Let’s face it, no matter how hard we try, or how elaborate the defense, sometimes the fox gets in the hen house (Or sometimes it just eats at McDonald’s). When I was in college taking a computer systems design course my professor stated that computer...
I was first encouraged and then disappointed to read the press release announcing Honeywell’s Experion C300 Controller had achieved Achilles Level 1 Certification. I was pleased to see another vendor stepping up to get their controller protocol stack tested....
Last month I ran across the CoreTrace booth at the ISA Expo. Ever since that happenstance introduction, their name and the concept behind their Bouncer product keep popping up in conversations, news feeds, and even Google advertising — mostly in the context of...
Antivirus is one of those things that is a standard recommendation on almost any assessment you’ll find, but maybe this is something we need to start rethinking. We all know that for the most part the current AV model is an arms race that’s not very...
Last month I mentioned briefly that there are additional functions of Nessus credential checks beyond the policy compliance plugins we’re using for Bandolier. The example in that blog post allowed you to “scan” all 65,535 ports safely and with...
Having been involved in this industry (control system security) for the last five years, a quick examination of what progress has been made in securing critical infrastructure leads me to the conclusion of “not very much”. The industry if still...