This week I’m teaching our updated three-day course on Control System Security for Control System Engineers for a client. One thing I learned from my experience teaching at Infosec Institute more than five years ago is it is very hard to make an interesting...
This week Siemens held its Automation Summit in Orlando, and security was heavy on the agenda. In an earlier blog I took to task Byres, Langill and other security guru’s, really top notch talent, for providing cover to a poorly performing vendor by attending,...
The Iranian Supreme National Security Council has called for the “International Atomic Energy Agency (IAEA) to form a fact-finding committee to detect agents involved in nuclear terrorism and operation of Stuxnet computer worm to attack nuclear industry”....
My Point: The ICS vulnerabilities being found and trumpeted have little impact on SCADA and DCS that run the critical infrastructure. Somehow we need to get the increased effort to identify vulnerabilities focused on the critical ICS applications and components....
We are hearing more and more that a particular security control is inadequate or not worthwhile because “it would not have stopped Stuxnet”. This has come up in numerous comments on this blog and in other places, such as my friend Jake Brodsky’s blog...
My point — we, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data...
While acting with the best of intentions, DHS and Siemens persuading Dillon Beresford to drop his talk “Chain Reaction: Hacking SCADA” talk at Takedown last month has backfired. My favorite tweet on the subject is: This is so true, like the “coverup...
A significant percentage of ICS owner/operators use SecurID tokens for strong, two-factor authentication for remote access. Similar to the IT space, it has the largest market share by far. With the recent hacks of RSA and Lockheed, it is time to reconsider if you can...
Digital Bond performed its first SCADA security assessment in 2000. The 9/11 attacks that supposedly changed everything in critical infrastructure security occurred in 2001. Yet as we have chronicled in this blog, the ICS community as a whole is still amazingly...
In 2008 DHS issued the first edition of Common Cybersecurity Vulnerabilities in Industrial Control Systems based on 15 ICS security assessments of either products or deployed systems they performed from 2004 to 2008. They just released an update to this document that...
