The big item of the week was Saudi Aramco cutting itself off from the Internet due to a malware incident. According to ICS-CERT, this would be an ICS cyber incident whether it affected their control systems or not because they run a control system. An article is...
James Arlen, @myrcurial, posted a question on SCADASEC on the phrase “utilizing demonstrated engineering experience”. Here is the pull quote/question: “If you are, say – a cookie manufacturer, and you have a cookie manufacturing line built and...
I’ve had a chance to spend some quality time with Microsoft’s Attack Surface Analyzer over the past week, which I’m going to refer to as “MS-ASA” to keep my word count down. The tool itself is pretty nifty, it gathers security and other...
Most of the talk about smart grid and smart grid security, especially in the US, revolves around automated metering infrastructure (AMI). And much of the security discussion has to do with the ability of an attacker to turn power on and off to affect customers and...
Last week cyber security legislation failed in the US Senate. This week the Obama Administration is putting the word out that they may implement the parts he believes are critical through Executive Order. Our view is that DHS has all the authority they need to make a...
I’ve been looking over the NERC CIP v5 lately, because of a few discussions I’ve had over the past week. Mainly, it’s been the compliance requirements for the 1500 MW Critical Generation cutoff point and the design concept for what is called a...
The article last week on Information Sharing – What Do You Want? generated some interesting discussion on and off the site. Info sharing proponents named some of the information they wanted. I’m tempted to use the overused analogy of “rearranging the...
The Cybersecurity Act of 2012, S 3414, died in the Senate this week, although they could try again after the recess. No great loss. It wasn’t going to pass the House, and it wouldn’t have made a difference in ICS security. Jeffrey Carr over on the Digital...
Call me an information sharing skeptic. The first truth of information sharing is organizations and individuals only share information if it is in their self interest. This dooms most information sharing efforts because members are in receive only mode. A second...
As the US Senate Bill 3414 gains momentum (although I’m still unsure why this is a big story until we hear of corresponding House action), it’s worthwhile looking at the sales effort around the proposed law. What we are seeing in public is likely a small...
