I have had talks with a number of other vendors about how control system life cycles will have to change, and slowly are changing. For a long time it has been buy and install a SCADA or DCS, change it as little as possible for ten to twenty years, and then completely...
In January the Nuclear Regulatory Commission issued NRC 5.71 Cyber Security Program for Nuclear Facilities. It is interesting that the NRC took a very NIST SP800 approach specifically using the NIST documents high impact baseline as a starting point. We did not do an...
I’m a week or two late on this, but I think that the community as a whole has paid far too little attention to the advisory released a few weeks ago by the folks at C4/CERT, and the response to them by Rockwell. Full disclosure, I have not personally verified...
A few thoughts after the intelligent comments, additional info, sound and fury: Microsoft is in the very rare top tier of companies spending time and money on security. In gross $ and time probably number 1 and very high on a percentage of security to software...
Today’s press release from an unnamed company (to protect the innocent of course) has driven me to zombify the tired “all you base” internet meme. In our ever growing drive to trade security for ease of use and convenience you can...
Last week McAfee and CSIS released a report titled In the Crossfire: Critical Infrastructure in the Age of Cyber War. Honestly, I dismissed it at first as marketing hype and even took some shots at it on Twitter because of the lack of real data. But they are actually...
There was an interesting discussion and information on what is the “best way from an ROI measure” to fuzz test at the CERT sponsored Vulnerablity Disclosure Workshop in DC this week. It led to some tweets back and forth between Digital Bond alumni Matt...
Earlier in the week I came across a very interesting article regarding control systems that we normally do not discuss but has a similar issue that we experience in other control system implementations. The FAA recently published a “special conditions”...
There is an interesting story from the Christian Science Monitor regarding attacks on some US oil companies. According to the article, the attackers used the same techniques described at S4 2010 in the keynote speech on Advanced Persistent Threat (APT), given by Kris...
Scanning with credentials has opened a new frontier for security assessment. Here’s an analogy: traditional vulnerability scanning is like a mechanic evaluating a car just by looking at the outside and listening to the motor run. It’s useful but there is...
