As the year starts to wind down we’ve been pleasantly surprised at how much progress many owner/operators have made in their security posture. The plants and SCADA systems that have made the most progress have devoted manpower to security. They have people...
Asset owners want DCS and SCADA security to be at least straightforward and preferably easy, especially when safety and security guys get together. Safety systems have a Safety Integrity Levels (SIL) that specifies the expected dangerous failure rate. So if a system...
Almost without fail, vendors mishandle their first contact with a security researcher who has found a vulnerability in their product. This problem is not unique to control system vendors, and there are many tales of mishandling including the well documented Core...
The change in terms from “responsible” disclosure to “coordinated” disclosure is welcome and wise. The various parties involved, vendor, user, researcher, CERT, will rarely agree on what is “responsible”. Maybe there is some...
In case you missed it, ICS-CERT issued an advisory about using SHODAN for identifying SCADA components connected to the Internet. The advisory covers the issues and the IT news outlets are picking up the story as well. Rather than echo that information or complain...
The concept of information sharing among a community of vetted users is appealing – – and it has been tried numerous times. Back in the ’90s when InfraGard started membership grew quickly at the promise of getting threat and attack information from...
My previous blog on Version 2 of the WIB Security Requirement for Vendors reads a bit like a security assessment report. While it highlights some positives, most of the details are on the deficiencies. To be clear, it is one of the better documents in this space and...
I was tough on ICS-CERT’s performance on Stuxnet in an earlier post. Now ICS-CERT is reaching out to a number of people in the control system community, including Digital Bond, to get some candid feedback on what they need to do differently or better. There is...
Back in April we reviewed Version 1 of the WIB/Wurldtech/Shell Process Control Domain – Security Requirements for Vendors. While it was a useful guideline document, it had major problems that needed to be solved before it could be used for a vendor certification...
Ralph has an open letter to Symantec up on his site. While I’ve been known to point out a failure from time to time in this blog, I think in this case Ralph is unnecessarily rough on Symantec who has done fantastic work on Stuxnet. However if you ignore the...
