Koyo/Automation Direct has responded to Basecamp and has made many of the right moves. Yesterday’s ICSA-12-102-02 pretty much says it all: Koyo has disabled the device’s webserver by default, and they’ve added a lockout feature to password...
First a reminder of the goal: The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end. SCADA and DCS owner/operators will demand a secure and robust PLC, and this...
While there were some great talks at AppSecDC, the attendance at their Critical Infrastructure track was not very high. Critical Infrastructure is a new topic area for the AppSec conference this year and it’s unclear if it will survive. OWASP has a...
On Friday I wrote on why the Stuxnet-type exploit module for the Modicon Quantum was important to show just how easy it is to upload rogue ladder logic. The other big news from Reid’s presentation, you can see the slides below, was the introduction of the WAGO...
Reid presented the latest from Project Basecamp yesterday, what he called Camp 4, at AppSec DC. He has done great work in a short amount of time, between the paying projects and I suspect often on nights and weekends. I didn’t want to step on his blog article...
DHS released version 4.1 of their Cyber Security Evaluation Tool (CSET). This version adds Visio support for network diagrams. CSET is a good do-it-yourself option for those who can’t afford pricey consultants like Digital Bond. I hope to give it a test drive...
Today Digital Bond released two new Metasploit modules affecting Schneider Modicon Quantum PLCs. I believe that these only affect PLCs with a “Unity” ethernet card, although I would guess that the exploit could be adapted to other controller types with...
Bryan Owen and Ralph Langner had great comments on our recent NERC CIP, Non-US Utilities and Security article. Here is an extended version of my response and comment. ———- NERC CIP has certainly provided some useful data points and leads to what I...
I’ve been wanting to go to the Workshop on the Economics of Information Security (WEIS) for a decade now. This year it is in Berlin so I’m registered, committed with plane tickets in hand for WEIS 2012, June 25-26. Economics of Information Security is...
Sometimes it helps to escape the bubble to get new information and fresh thoughts. Below are three recent information points and four observations on regulation and real security after a long trip outside the US. Some of the observations are not new, but they are big...
