How many of you have downloaded NISTIR 7628: Smart Grid Cyber Security Strategy and Requirements, saw it was 305 pages and put it aside? Maybe you even waded into the first ten to twenty pages and read a lot of general statements and gave up. Well if you have some...
Some of the post Stuxnet discussion, and even much before it, has the premise that we need to improve security so this type of attack can never be successful. That if we just all do the right things control systems will be impenetrable. When we see unpatched systems,...
Patrick Coyle writes the Chemical Facility Security News blog and tweets @pjcoyle. His blog is my go to resource for all things chemical security, and Patrick also does the hard work of tracking all of the control system security legislation. Patrick was kind enough...
The Siemens response to Stuxnet has been like a roller coaster. It started diving low with limited information and bit of blame shifting as most organizations facing a vulnerability for the first time do. [Siemens is huge and obviously other parts of Siemens are well...
HD Moore recently published a blog entry highlighting some serious vulnerabilities in VxWorks – – an operating system used by a number of field devices in SCADA and DCS. What does and doesn’t this mean? This has little or no impact on the security of...
Joe Weiss has been been conflating Cyber Incidents with Cyber Security Incidents for a while now, primarily by leaning on the NIST FIPS-200 definition of an Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or...
Last week I attended, presented and tweeted at the Dept of Energy Cybersecurity For Energy Delivery Systems Peer Review. The idea is DoE funds all these research projects, and they would like a group of owner operators and other industry guru’s to help determine...
Pay attention to the P in Advanced Persistent Threat [APT]. Most of the attention paid to the trojan with a payload targeting Siemens control system applications has been on the Advanced nature of this malware. And that attention is warranted because there has not...
Joseph Kelliher was the Chairman of FERC from July 2005 – January 2009 so he had a front row seat to the NERC ERO / FERC / Congress issues and enough time to get perspective from outside the FERC bubble. On April 28th he gave a speech at an Energy Bar...
A few thoughts on the Perfect Citizen project by NSA. First, it is unclear what Perfect Citizen is. The news reports said the program would places sensors in the critical infrastructure to detect cyber attacks. NSA says “Perfect Citizen is purely a...
