Next week is the Siemens Automation Summit. Will Siemens announce digitally signed code for the S7 300 and 400 PLC’s? Ralph Langner hinted at this in a recent blog — “While so far the vendor has made no announcement to support digitally signed code, our intelligence from inside sources has it that this feature is scheduled to be introduced to the S7-300 and 400 series in 2012.” Fingers crossed as I would like to write a positive blog entry on Siemens.
Two new ICS related Metasploit modules were released this week. The Sielco Sistemi Winlog Buffer Overflow and the Siemens FactoryLink Opcode 9 Buffer Overflow exploits were both written by the Metasploit team.
Commissioner staff member Stephen Flanagan published an interesting 14-page speech/paper titled “The CIP Program: Are We on the Right Path or at a Precipice” from a SPP Workshop. His perspective is commitment to security is more important and better approach than compliance. He wants to know: “is the entity concerned about CIP? How has the entity demonstrated its concern in a tangible manner? Is the tangible expressional of concern effective in addressing the technical concern?” A better approach, but it does not seem likely to be the future and, by the way, is the opposite of the SP800-53 approach.
Tweet of the Week
Weekly Updates From Critical Intelligence
Worth Reading Articles
- SDG&E’s Grid Security and Cyber Security Plan DP Note: A 70-page document that I need to read.
- GraniteKey Blog: Videos of Travis Goodspeed’s Smart Grid Security East presentations
- Iranian Student News Agency Article: Iran Calls for IAEA to Detect Stuxnet Agents
- PwC Report: Getting Real About Cyber Threats, Where Are You Headed (free registration required)
- [in]Security Culture Blog: Our man in the field reporting about NERC CIP updates!
- Physorg.com Article: Protecting Medical Implants From Attack
- Security of Power Blog: Security Testing and the SmartGrid (or why we need to pull the industry’s head out of its butt)