Getting Beyond Passwords

Jason is spot on in his last post on default and easily guessed passwords. Extending Jason’s rant a bit here . . . passwords don’t work. This isn’t news; we all live with the problem and have our own work around because humans can’t remember...

Will IEC Save ISA99?

ISA99 is one of the oldest and prolific control system security standards groups. They published the first quality technical reports on the topic, and have an ambitious 14 document work plan depicted at the bottom of the post. The working groups are gaining members...

Senate Hearing Notes

Yesterday the Senate Homeland Security and Government Affairs Committee held a hearing on Securing The Critical Infrastructure in the Age of Stuxnet. There were four panelists and here were my notes: Sean McGurk – DHS Acting Director, National Cybersecurity and...

The Automation Press (or Press Release)

I wrote the blog below last weekend and didn’t post it because maybe we were suppose to know the article was a press release even though it looked like an “article”. Today I received the same article in an Automation World News Insights email...

Security Takes People

As the year starts to wind down we’ve been pleasantly surprised at how much progress many owner/operators have made in their security posture. The plants and SCADA systems that have made the most progress have devoted manpower to security. They have people...

Security Assurance Levels – Dream or Possible Reality?

Asset owners want DCS and SCADA security to be at least straightforward and preferably easy, especially when safety and security guys get together. Safety systems have a Safety Integrity Levels (SIL) that specifies the expected dangerous failure rate. So if a system...

Vendor Vulnerability Handling Dry Run

Almost without fail, vendors mishandle their first contact with a security researcher who has found a vulnerability in their product. This problem is not unique to control system vendors, and there are many tales of mishandling including the well documented Core...

Researchers and Disclosure

The change in terms from “responsible” disclosure to “coordinated” disclosure is welcome and wise. The various parties involved, vendor, user, researcher, CERT, will rarely agree on what is “responsible”. Maybe there is some...

What You Should Know About SHODAN and SCADA

In case you missed it, ICS-CERT issued an advisory about using SHODAN for identifying SCADA components connected to the Internet. The advisory covers the issues and the IT news outlets are picking up the story as well. Rather than echo that information or complain...

Why Will HSIN Work?

The concept of information sharing among a community of vetted users is appealing – – and it has been tried numerous times. Back in the ’90s when InfraGard started membership grew quickly at the promise of getting threat and attack information from...