In my last post I introduced Malcolm Gladwell’s Capitalization of Talent concept and concluded that the capitalization rate of SCADA security talent in the control system community rate is low. Here are some reasons why in no particular order: Security 101 is...
Almost everyone in the community, even the optimists like myself who have seen impressive progress by some vendors and owner / operators, bemoan the pace of improved security postures across the control system community. And we try to figure out why this is and how to...
There’s a great write-up on building and maintaining a Windows tiered patching infrastructure over at Ars Technica today. It sets up like this: Windows updates have historically been a constant annoyance for IT staff. Manual updates were a huge pain, and, while...
To a lot of you, this is post isn’t going to tell you anything you don’t already know, but for others I think it needs to be said again. MAC and IP addresses are easily changeable and are useless for authentication. Far too often when we’re on...
Having completed my part of the Quickdraw project, my time at Digital Bond is winding to a halt. But I thought I’d just post a retrospective on some of the things I learned on the Quickdraw project. Because this post is a bit on the long side I have decided to...
When stories about Internet based attacks on control systems, like the 60 Minutes story, appear on sites like Slashdot, most people question the need to attach the control network to another network. In my previous position at a National Laboratory, I have seen...
I wanted to wait to hear the reactions to the segment on 60 Minutes before commenting. If you missed it, see it here or read the transcript. Here are a few thoughts on the story. It is probably a net plus because 60 Minutes reaches an audience that might not be aware...
One of the reasons I went to ISA Expo in Houston last week was to try to get a fix on what ISA 99 was up to and whether it continued to matter. Historically, ISA 99 was one of the early movers in the control system security standards and guidelines space. Their first...
Someone needs to tell me where the downside is with products like CoreTrace Bouncer. I’ve tried to be skeptical of application whitelisting but the more I see, the more I like it. Recently I had the opportunity to see Bouncer demonstrated on a Yokogowa Centum...
A few weeks back while discussing some planned Nessus updates and Bandolier, I said what matters is value and improved security for your control systems, not just running a scan. There are a variety of reasons why you might want to scan your control networks but...