ICS Vulnerability Prioritization Problem

My Point: The ICS vulnerabilities being found and trumpeted have little impact on SCADA and DCS that run the critical infrastructure. Somehow we need to get the increased effort to identify vulnerabilities focused on the critical ICS applications and components....

The “It Won’t Stop Stuxnet” Fallacy

We are hearing more and more that a particular security control is inadequate or not worthwhile because “it would not have stopped Stuxnet”. This has come up in numerous comments on this blog and in other places, such as my friend Jake Brodsky’s blog...

Fix The Problem, Stop Bailing Out Vendors

My point — we, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data...

Stop Talk – Make A Star

While acting with the best of intentions, DHS and Siemens persuading Dillon Beresford to drop his talk “Chain Reaction: Hacking SCADA” talk at Takedown last month has backfired. My favorite tweet on the subject is: This is so true, like the “coverup...

Time to Replace SecurID Tokens?

A significant percentage of ICS owner/operators use SecurID tokens for strong, two-factor authentication for remote access. Similar to the IT space, it has the largest market share by far. With the recent hacks of RSA and Lockheed, it is time to reconsider if you can...

The Lost Decade

Digital Bond performed its first SCADA security assessment in 2000. The 9/11 attacks that supposedly changed everything in critical infrastructure security occurred in 2001. Yet as we have chronicled in this blog, the ICS community as a whole is still amazingly...

DHS Updates Best ICS Vuln Statistics Available

In 2008 DHS issued the first edition of Common Cybersecurity Vulnerabilities in Industrial Control Systems based on 15 ICS security assessments of either products or deployed systems they performed from 2004 to 2008. They just released an update to this document that...

WAKE UP!!! PLC’s ARE VULNERABLE!

Trying a new, blunt method of communication because numerous blog entries, presentations and papers just aren’t getting through. Please read and reread the following paragraph: If you have network access to almost any PLC, RTU or other type of field device, then...

Senate Looks At White House Cybersecurity Proposal

The Senate Committee on Homeland Security & Government Affairs held a hearing on the recent White House legislative proposal on Cybersecurity. Pay attention to this as it would have a big impact on the most critical infrastructure, and there have been efforts to...

Researcher Talk Pulled, When Will Siemens Talk?

Yesterday Dillon Beresford cancelled his talk and demonstration titled Chain Reaction: Hacking SCADA at the Takedown event after a discussion with DHS and Siemens. Wired has an article with the details which includes the Beresford quotes “Based on my own understanding...