Security and reliability are two terms used quite often in our industry. Though I have been in the control systems realm a short time, it appears that many people view the two subjects as opposing forces. I believe that is most cases security should be considered an...
Reversing patches to create exploits is nothing new, and it tends to occupy the time of a lot of security researchers around the 2nd Tuesday of every month, but an interesting research paper was published recently from a few graduate students at CMU, Berkeley, and...
I’m sure many of you have been spammed by an email from TDI about a “NERC CIP Cyber Asset Alert”. I personally received three alert emails plus a blog spam. We get a lot of this type of material, but this one topped anything we have received lately...
The ISA99 WG4 was discussing a security methodology called BSI IT grundschutz that was new to me. Hans Daniel provided a very concise and useful summary that he kindly allowed us to post on the blog. UPDATE: A link to the English version of IT grundshutz courtesy of...
When I first got started with Bandolier, I thought the bulk of the value would be in the security checks of the control system application itself. Getting to this information involves digging into how the app works, identifying the most secure configuration, and...
Our Dept. of Energy funded research project will result in a number of different tools for Digital Bond site subscribers. We have blogged on Bandolier, the development of control system security audit templates for Nessus and other vulnerability scanners. Now let me...
The conference was organized by Dr. Mauricio Papa, Assistant Professor of Computer Science at the University of Tulsa, Dr. Sujeet Shenoi, F.P. Walter Professor of Computer Science at the University of Tulsa, and Eric Goetz, Associate Director for Research at I3P, and...
In last week’s Friday News and Notes we mention a story on access and management of PLC’s via Blackberry. This relates to one of the frequent and interesting discussions we have with asset owners when they are considering exposing their control system in...
There still are a tremendous amount of wasted cycles in the community discussing and arguing that control system security is different than IT security. So what? Who cares? Isn’t almost everything different? Water (canal) SCADA is different than pipeline SCADA...
I was a little late catching it, but Richard Bejtlich made a post titled “First They Came for Bandwidth…” over on his TaoSecurity blog last week that is worth reading. He argues that one of the problems with being in a defensive position with regard to security...