Assante Throws Down the Gauntlet on CIP-002

NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all...

Conficker beFUDdlement

I’ll start off by saying don’t believe all the FUD that’s been going around, we all know how many members of the media area when they get hold of a story, especially one that can have a date in the future to speculate on. That said, there are definitely...

Applying Ockham’s Razor to Control Security

An IM discussion with Jason Holcomb in regards to his recent post set my mind in motion. English philosopher/logician William Ockham postulated in the 14th century(quoting Wikipedia) “When multiple competing hypotheses are equal in other respects, the...

No More Free Bugs?

The disclosure debate is raging once again and its even seeing some discussion on the SCADA mailing lists.  This was stirred up by the No More Free Bugs “campaign” announced at Cansecwest by Miller, Sotirov, and Dai Zovi.  Accomplished guys and names that...

Does More Technology = Inherently More Secure?

How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?”. I wanted to point this one out for a couple of reasons. First, it’s a decent high level treatment of the topic. Even though it starts out with the doomsday scenario, alternate viewpoints are...

Whitelisting in Control Systems

As Jason Holcomb noted on this blog a few weeks back, there is a growing interest in apply the practice of whitelisting to control systems. In whitelisting a set of known “good” applications is created and maintained, and only applications from that list...

Risk Management – or – Not All Risks Are Equal

There is a dangerous theme I’m hearing more and more from a variety of sources that every possible risk must be reduced immediately, right now. And if you are not doing this Mr. Asset Owner you are in security denial and being irresponsible. First this is not...

No Budget Security Ideas

I’ve talked to a few people recently who have control system security responsibility but are on a very tight or non-existent budget. Some things, like the network taps that we discussed recently, do have significant cost but there are many basic security steps...

Langner Awareness Demonstration Tool

Ralph Langner, who is on our top ten list, always has some interesting tools or information when we talk. Recently he showed me an application Langner Communications uses when having difficulty convincing asset owners they should worry about security. It is a simple...

0Days and iDays

It’s always a pleasure to talk with Ralph Langner of Langner Communications at S4. He is a leader and independent control system security voice in Europe. Ralph has developed some interesting tools to demonstrate vulnerabilities and lack of security that I hope...