PLC’s: Insecure By Design v. Vulnerabilities

While significant progress has been made in securing ICS workstation and server components over the last ten years, almost no progress has been made in securing PLC’s and other field devices. Now with researchers / hackers of all hat colors, as well as more...

Making Sense of Siemens Vulnerability Conflation/Confusion

My point: we have multiple Siemens vulnerabilities affecting multiple Siemens products and little clarity from ICS-CERT or Siemens on the totality of the vulns, the impact or the affected products — or what is queued up and ready to come next as soon as...

Siemens S7 Honeynet?

Digital Bond released a high interaction / very realistic SCADA Honeynet a few years back. Actually a better name would be a PLC Honeynet because it appeared to be a Modicon PLC. It has a points list with realistic values from an actual PLC that can be accessed via...

Industrial Defender Prices New Service By MW

Industrial Defender, an ICS security products and services vendor, issued a press release announcing three new security services for power plants: Monitor, Manage and Protect. What is novel about the offering is the pricing model. Pricing is based on the megawatts of...

Process Failure Issues – Add Compromise To Troubleshooting

Michael Toecker started an interesting, if slightly disingenuous, thread on control.com. He asks for approaches to the following problem: You’ve been experiencing periodic failures of equipment that is important in the reliable and successful completion of your...

Diverging Views on NERC CIP Flaws

I have yet to meet anyone, who is not on the NERC payroll, who believes that the CIP standards are resulting in anything close to effective and efficient improvement in the bulk electric system’s security posture. (Even ex-NERC and regional entity employees who...

What’s Worse, Incompetence or Deception?

Yesterday Dillon Beresford announced and ICS-CERT confirmed that the Siemens’ S7-200, S7-300 and S7-400 families of PLC’s suffered from the same replay vulnerability as the S7-1200. Siemens had not announced this even though they have had the information...

ICS Security Training

This week I’m teaching our updated three-day course on Control System Security for Control System Engineers for a client. One thing I learned from my experience teaching at Infosec Institute more than five years ago is it is very hard to make an interesting...

Siemens Security Tap Dance or Reality?

This week Siemens held its Automation Summit in Orlando, and security was heavy on the agenda. In an earlier blog I took to task Byres, Langill and other security guru’s, really top notch talent, for providing cover to a poorly performing vendor by attending,...

Cyberwar Rules and Law

The Iranian Supreme National Security Council has called for the “International Atomic Energy Agency (IAEA) to form a fact-finding committee to detect agents involved in nuclear terrorism and operation of Stuxnet computer worm to attack nuclear industry”....