Loyal blog readers probably have figured out that I have tremendous respect for Ralph Langner. We have had the opportunity to discuss ICS security issues at S4 and via email for years, and in recent years find ways to go hiking (true SCADA Security Summits) and...
I’m often asked by reporters if ICS are so insecure why there have been no dramatic and devastating impacts of ICS cyber attacks. The only answer I have is that the consequences to the attacker if they are caught have exceeded the reason or motive up...
Information sharing is a key component of President Obama’s Executive Order with emphasis on sharing information on threats and incidents. With the current insecure state of ICS, the value of this information is limited to the question IF we should start to...
The DHS Office of Inspector General released the report DHS Can Make Improvements To Secure Industrial Control Systems on Valentines Day. After US Defense Secretary Leon Panetta recently focused on critical infrastructure attacks in his “Cyber Pearl...
DHS ICSJWG is starting a new Standards subgroup “to identify current industrial control systems security standards that exist, assess and evaluate a relevant set of baseline control systems standard requirements, and create and maintain a catalog of timely...
When ICS-CERT was created I expected a lot more. I expected analysis and insight from skilled ICS security experts. The reality is ICS-CERT is merely a coordinator of communication between vulnerability finders and the vendor. ICS-CERT Alerts and Advisories simply...
Note: I have two posts going up tomorrow on ICS-CERT and DHS. The first is on what ICS-CERT actually does vs. expectation and lore. The second is reaction to the DHS Office of Inspector General (OIG) report on DHS’s performance in securing ICS. Yesterday...
Key Defense in Depth Principle: Don’t rely solely on the security perimeter(s). Secure the assets inside the perimeter to withstand attacks. As we have covered ad nauseam on this site and clearly demonstrated in Project Basecamp, almost all PLC’s,...
Mark Clayton of the Christian Science Monitor broke the story of a 6-month spear phishing campaign on 23 gas pipeline companies. “Sensitive files were stolen that could give a cyberintruder the ability to control, or alter the operation of the pipelines,...
Ralph Langner’s paired with Perry Pederson for his first major paper at the Brookings Institution – Bound To Fail: Why Cyber Risk Cannot Be “Managed” Away. The authors write “The sober reality is that in respect to the cyber security...
