ISA’s ISASecure has been working on an Embedded Device Security Assurance certification. We have previously reviewed, see links at the bottom of the post, the Functional Security Assessment and Software Development Security Assessment documents that represented...
If you don’t have the time to read a 120 page report, take a quick look at the 19 report overview slides. A true, directed cyber or blended attack is what makes risk management for control system cyber security so difficult. Talk to an moderately skilled hacker...
We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications. Recently Daniel spent a couple of days black box testing a widely used control system application...
We could be looking at highly successful Smart Grid program results that are viewed as failures because of improperly set expectations. Let me explain. After Distributech in March, I blogged some thoughts on where Smart Grid stood and what the future might bring. It...
Loyal blog readers know we have been talking about and tracking the increased use of cellular modems in SCADA systems. These are often accessible from the Internet, almost always accessible by other users with service from the same cellular company, and so far always...
That was the question Ralph Langner asked in a comment on a Friday News and Notes item, and then he and Michael Toecker had an interesting back and forth. Here is my two part answer. 1. Because when you have an IP network, a small segmented island can intentionally or...
Code signing is a security feature that has been around for quite some time, and has been proven in many other areas, but is uncommon to find it in any control system component and very rare to find in control devices where firmware uploading is an important...
Earlier blog entries talked about the ISA Embedded Device Security Assurance Certification and the validation methods for the Functional Security Assessment part of this certification. In this entry I’ll review the as yet unpublished validation columns in the...
I recently reviewed the two published drafts for the ISASecure Embedded Device Security Assurance Certification and had a number of comments on how easy or hard it would be for third party testing of the requirements. Since that review ISASecure was kind enough to...
I’m about to touch the 3rd rail of control system security – – Joe Weiss. I can’t tell how many times at industry events, dinners, conference calls or any other gathering in the community people, a portion of the conversation turns to griping about Joe....