When ICS-CERT was created I expected a lot more. I expected analysis and insight from skilled ICS security experts. The reality is ICS-CERT is merely a coordinator of communication between vulnerability finders and the vendor. ICS-CERT Alerts and Advisories simply...
Note: I have two posts going up tomorrow on ICS-CERT and DHS. The first is on what ICS-CERT actually does vs. expectation and lore. The second is reaction to the DHS Office of Inspector General (OIG) report on DHS’s performance in securing ICS. Yesterday...
Key Defense in Depth Principle: Don’t rely solely on the security perimeter(s). Secure the assets inside the perimeter to withstand attacks. As we have covered ad nauseam on this site and clearly demonstrated in Project Basecamp, almost all PLC’s,...
Mark Clayton of the Christian Science Monitor broke the story of a 6-month spear phishing campaign on 23 gas pipeline companies. “Sensitive files were stolen that could give a cyberintruder the ability to control, or alter the operation of the pipelines,...
Ralph Langner’s paired with Perry Pederson for his first major paper at the Brookings Institution – Bound To Fail: Why Cyber Risk Cannot Be “Managed” Away. The authors write “The sober reality is that in respect to the cyber security...
For the second week we have a story that dwarfed all others and led to a flurry of mainstream press interest — of course it is Mandiant’s Whitepaper on APT1. The related inside-baseball story I’m waiting for is how much all of this has been...
A lot of Digital Bond readers are not electric power professionals, so I figured some 101 on the electricity sector might be appropriate. One of the more fascinating, and least understood even by power professionals, aspects of electric power is the electric power...
The Journal of Strategic Studies published my article Offensive Cyber Weapons: Construction, Development and Employment, and it is now available for free download. Thanks to Thomas Rid for inviting me to write this and organizing the five articles on this topic. I had...
Of course the big story was President Obama’s Executive Order Improving Critical Infrastructure Cyber Security with the key elements being information sharing and the development of the cybersecurity framework. The biggest potential impact is a possible...
I presented “You Have No Integrity” today at the SANS SCADA Security Summit in Orlando, Florida. The presentation included numerous examples on how ICS lack integrity — if you can get to the ICS it is game over because source and data authentication...
