Last week Infosec Island published the article, Report Shows Energy Infrastructure Susceptible to Attack. The article discusses a recent report, The State of IT Security: A Study of Utilities and Energy Companies, issued by the Ponemon Institute. Did we really need a...
It’s difficult to find hard data in the ICS security realm, so Industrial Defenders’ recently published survey provides some welcome data points. The survey is officially titled “Managing Automation Systems: Critical Infrastructure Operators’...
Guest author Jason Holcomb is a Digital Bond alumnus who is now a Senior Security Consultant for Lockheed Martin’s Energy and Cyber Services group where he is responsible for providing critical infrastructure security consulting services and integrating ICS security...
Back in September 2011 2010 Ralph Langner had hard evidence that the Stuxnet code was fingerprinting and attacking a specific process in a PLC. After Ralph announced his findings, and we blogged on them extensively, it was weeks before it got seriously picked up...
The Energy Sector Cyber Security Roadmap developed by the US Dept of Energy was well received when it first came out in 2006 and was recently revised. Other sectors saw this and it has led to a Water Sector Roadmap, Chemical Sector Roadmap and various other sector...
ICS-CERT updated their Advisory ICSA-11-094-02A – Advantech/Broadwin WebAccess RPC Vulnerability last week, and inspired us to start our Insecure Products List. The update was short but serious: “Advantech/BroadWin has notified ICS-CERT that a patch will...
A number of related issues brought up at ICSJWG have been floating around my head in the long flight to Asia: market failure, regulation and the public’s right to know. At ICSJWG a friend reminded me that in his S4 keynote Dr. Ross Anderson said that regulation is...
Previous blog entries have covered Day 1 and the Vulnerability Disclosure Panel. Here is a bit of news from Day 2 and summary thoughts. Summary Thoughts DHS puts on a quality event both in the organization and agenda. It’s definitely worth attending if you...
The reason I attended ICSJWG was I had the surprising opportunity to participate in a vulnerability disclosure panel. Surprising because DHS knew I was likely to be quite critical of certain vendors and ICS-CERT. The panelists had ten minutes for a presentation then...
We have been focusing on the Duqu targeting in an attempt to determine what risk, if any, Duqu posed to SCADA and DCS owner/operators. In the last 24 hours there has been more confusion and then some clarity with new bulletins from ICS-CERT and Symantec. Eric Chien of...