Often times those involved in operating critical infrastructure are given a false sense of security when looking over the daily stream of vulnerability disclosures and patch information, as these feeds/lists seems to seldom contain anything specific about their...
Recently, two members of the European Commission, Viviane Reding and Meglena Kuneva, proposed that the European Union’s (EU) consumer protection rules for physical products be extended to software. This expansion of the consumer protection rules to include...
This is a little deviation from our usual critical systems, but considering it is a tool that heavily influences whether a guilty person goes free or an innocent one goes to jail it seems critical to me. In the State v. Chun case the defendant argued for analysis of...
George Will wrote an interesting column on folly of government pursuing rules and executive actions to achieve impossible goals. Here is key paragraph in the typical Will style: Gulliver’s travels took him to the Academy of Lagado, where “professors...
Yes, you read the title correctly. There is a new and improved security driven version of Windows being distributed. The National Institute for Standards and Technology, the Defense Information Systems Agency and the Center for Internet Security consulted on this...
Some observations after going through the tedious process of creating and modifying Windows service policy checks for an upcoming Bandolier release… 1.) The value of the OS-level audit files is different than I first thought. I blogged about this last year after...
Portaledge is Digital Bond’s control system security research project funded by the US Department of Energy. We recently issued the first release and are nearing the second, so this is a good time to discuss with practical examples, what Portaledge is, how it...
It’s been a little while since we’ve had a Quickdraw update, and I wanted to fill everyone in on how we’re doing and the approach we’re using. As we’ve described before we’re basing the project on the snort 2.8.x tree, and we could do...
Many of us in the Control System community feel pretty secure in the belief that our critical networks are not directly connected to the internet, and as such are insulated from attack. Apparently (and as oft has been stated) this is not sufficient protection, if the...
Two weeks ago I was fortunate, along with about one hundred others, to be invited to an initial planning meeting of DHS’s Industrial Control System Joint Working Group [ICSJWG]. Here are some thoughts after a few weeks to ponder what happened there. ICSJWG is...
