After working on a few factory acceptance tests for SCADA and DCS implementations, I have some suggestions for the process as it relates to security, and particularly security configuration testing.. They can be roughly categorized as suggestions for the vendor, for...
I attended a half day workshop on Vulnerability Disclosure — yes there is no permanent escape from this topic. But after taking some time off and listening again I may have had an epiphany. Let’s go back to the beginning with IT vulns, why were...
In a world of remotely exploitable vulnerabilities and inherently vulnerable protocols, permissions on a control system server may seem insignificant. With 20+ Bandolier security audit files under my belt, though, I have a different opinion. Think about all the...
Just a quick update on the happenings here at Blackhat. The good news is that this year the quality of the presentations seems to have improved, or maybe I’be just gotten better at choosing interesting sessions. Most of the research that had a direct...
Effective information sharing about vulnerabilities, security incidents and other security issues is a hard problem. Most owner/operators are reluctant to share anything that could make them look bad or worse, but these same asset owners see the benefit of receiving...
Long time and loyal blog readers know that Digital Bond and myself personally were early supporters of the Achilles test platform and protocol stack certification. In fact our vocal support even resulted in a contract to help create the Achilles Level 1 Certification...
We have another control system incident in the news that will surely fill up slidedecks for the next decade. News became public yesterday of an arrest of security guard involved in a compromise of the HVAC system, and likely the rest of the hospital network, at...
We are pleased to announce the beta release of some Quickdraw software components today. Quickdraw is a Digital Bond research project funded by the US Department of Homeland Security (DHS). This beta release is the first three SCADA IDS preprocessors that were the...
We have been blogging about the benefits of virtualization in control systems. Asset owners have been reluctant to embrace virtualization until it was blessed by the vendor, and this is understandable. A few vendors have been working on virtualization support, and the...
The NERC CIP cyber security work in the electric sector has been fast and furious as deadlines approach, as have the comments on the value, or lack thereof, of this effort. I am very confident in the following two conclusions based on working with many of the asset...
