8 Dec 2010 | 2010
Jason is spot on in his last post on default and easily guessed passwords. Extending Jason’s rant a bit here . . . passwords don’t work. This isn’t news; we all live with the problem and have our own work around because humans can’t remember...
30 Nov 2010 | 2010
ISA99 is one of the oldest and prolific control system security standards groups. They published the first quality technical reports on the topic, and have an ambitious 14 document work plan depicted at the bottom of the post. The working groups are gaining members...
18 Nov 2010 | 2010
Yesterday the Senate Homeland Security and Government Affairs Committee held a hearing on Securing The Critical Infrastructure in the Age of Stuxnet. There were four panelists and here were my notes: Sean McGurk – DHS Acting Director, National Cybersecurity and...
17 Nov 2010 | 2010
I wrote the blog below last weekend and didn’t post it because maybe we were suppose to know the article was a press release even though it looked like an “article”. Today I received the same article in an Automation World News Insights email...
16 Nov 2010 | 2010
As the year starts to wind down we’ve been pleasantly surprised at how much progress many owner/operators have made in their security posture. The plants and SCADA systems that have made the most progress have devoted manpower to security. They have people...
11 Nov 2010 | 2010
Asset owners want DCS and SCADA security to be at least straightforward and preferably easy, especially when safety and security guys get together. Safety systems have a Safety Integrity Levels (SIL) that specifies the expected dangerous failure rate. So if a system...
4 Nov 2010 | 2010
Almost without fail, vendors mishandle their first contact with a security researcher who has found a vulnerability in their product. This problem is not unique to control system vendors, and there are many tales of mishandling including the well documented Core...
3 Nov 2010 | 2010
The change in terms from “responsible” disclosure to “coordinated” disclosure is welcome and wise. The various parties involved, vendor, user, researcher, CERT, will rarely agree on what is “responsible”. Maybe there is some...
2 Nov 2010 | 2010
In case you missed it, ICS-CERT issued an advisory about using SHODAN for identifying SCADA components connected to the Internet. The advisory covers the issues and the IT news outlets are picking up the story as well. Rather than echo that information or complain...
1 Nov 2010 | 2010
The concept of information sharing among a community of vetted users is appealing – – and it has been tried numerous times. Back in the ’90s when InfraGard started membership grew quickly at the promise of getting threat and attack information from...
