In a story that broke around June 22nd, and that most of us in the ICS world missed, was the discovery of a virus targeting engineering drawings. It’s name is ACAD/Medre.A, and it is specifically designed to snarf up AutoCAD files, and email them to (supposedly)...
If you are interested in the effectiveness of Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET) read Gal Badashi at the Security Bits blog post Tweaking Metasploit Modules to Bypass EMET – Part 1. He takes a released Metasploit exploit and...
Sorry for the absence last week, but I was at a SCADA Security Summit up the Wilder Kaiser in the Alps. The best kind of summit with only 1/3 of the talk on ICS security, beautiful scenery and Tyrolean food / German beer in the huts. The WikiLeaks story on...
Wurldtech recently certified Schneider Electric as a Communication Certifier. It took me a bit to wade through what this really means. Schneider is now authorized to run the Wurldtech Achilles device against Schneider’s own systems, and give their...
The recent approval by Wurldtech for Schneider to self certify their products as meeting Achilles certification requirements was enough of a push to put up a replacement to the Siemens / Stuxnet counter as Reid has been suggesting for months. The counter debuts at a...
Close Up Gendai is a long running, serious and popular program on Japanese national television station NHK. The audience tends to skew older, but everyone in Japan knows Close Up Gendai. So we were pleased to cooperate with the NHK crew when they wanted to do a...
I wrote recently about Pacific Northwest National Labs (PNNL) “assessment” of McAfee’s security products applicability for Energy Sector ICS. I called it a love letter and questioned how a National Lab or any other firm that does an assessment could...
The closing session of the Workshop on the Economics of Information Security (WEIS) was a very interesting debate between Dr. Ross Anderson and Bruce Schneier on the topic of spending on information security. Ross argued that we don’t spend enough, and Bruce...
An injurer (company) first balances expected cost of harm with the cost of prevention. This morning at the Workshop on the Economics of Information Security (WEIS) was devoted to privacy. This is an area that was not historically important in ICS, but privacy is a...
My hope in attending WEIS is to learn of new methods for applying security economics to the ICS world. One area of interest is a model to explain the increase in ICS reported vulnerabilities and predict and profile future vulnerabilities. Two models were raised in a...
