A common fault in control system security programs is in recovery of cyber assets. The redundancy gives a false sense of security, and the questions “can you rebuilt this server” or “when was the last time you rebuilt this server” often go back...
The Economist Magazine has a 2744-word cover article on “Cyberwar”. Like most articles in this publication it is balanced and presents the issues well. They have both Richard Clarke with his alarms and Bruce Schneier calling scaremongering. There is...
Protecting Industrial Control Systems From Electronic Threats by Joseph Weiss 7 Word Review – Missing: a quality editor. Pass on this. Joe Weiss’s, one of the pioneers in control system security, attempt at writing an overarching book on control system...
NERC has just issued the first Clarification Application Note [CAN] related to the CIP standards. The CAN process should be very helpful for owner/operators, vendors and auditors by removing some of the interpretation on what the standards mean and require. That said,...
Is CIP improving the security posture of electric sector control systems? I think we have a large enough sample size and time to answer that question now. Like most things in life, it is not a simple yes or no. It is affected by an organizations previous efforts on...
Matt Olney from Sourcefire has a lengthy editorial on the Lieberman-Collins Protecting Cyberspace As A National Asset Act. I haven’t read the 197 page bill cover-to-cover, but did glance at the sections that Matt highlighted in his editorial. What was a bit...
ISA’s ISASecure has been working on an Embedded Device Security Assurance certification. We have previously reviewed, see links at the bottom of the post, the Functional Security Assessment and Software Development Security Assessment documents that represented...
If you don’t have the time to read a 120 page report, take a quick look at the 19 report overview slides. A true, directed cyber or blended attack is what makes risk management for control system cyber security so difficult. Talk to an moderately skilled hacker...
We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications. Recently Daniel spent a couple of days black box testing a widely used control system application...
We could be looking at highly successful Smart Grid program results that are viewed as failures because of improperly set expectations. Let me explain. After Distributech in March, I blogged some thoughts on where Smart Grid stood and what the future might bring. It...
