Most of our readers are familiar with the complete lack of even weak (i.e. telnet-style) authentication in most SCADA protocols. So I was pleasantly surprised to find that LonTalk (also known as ANSI/EIA 709.1) had a simple challenge-response authentication protocol for its session layer. Given that LonWorks targets low-end microcontrollers, this would certainly contradict the […]

While most of the focus on securing control systems has been in industrial settings, not much work has been done yet “closer to the home,” or at least the office.
Building automation systems — those applications, devices, and protocols that are used to control and monitor HVAC, lighting, energy management, and sometimes fire and physical security […]

Interesting conclusion and prediction from Jim Pinto in a Control Magazine article.
For large distributed control systems, it should be recognized that there are two automation groups evolving:
Group 1: Investing heavily in a control room, knowledge-base approach. More connection from enterprise to field for data-to-knowledge-to-local/enterprise decision-making. Focused on making timely, safe and profitable decisions at the […]

Control Engineering and QDS Systems have put up a nice blog tracking the progress on the upgrade of a 10 year old Wastewater SCADA system. This project illustrates the use of the latest technologies and provides a suprisingly high level of detail compared to other writeups I’ve seen on-line:
The SCADA master planned is a three-computer […]

I hope you all have a chance to shut down a bit and enjoy the holiday. Thanks to everyone that has provided tips to the blog this year, and thanks to everyone who has contributed to the improvements in SCADA security in 2005.
I’ll be doing a year in review entry and 2006 goals around […]

Yikes! I was reading the December issue of Control Magazine on the plane and got to the section with blurbs on new vendor product offerings, pages 56-57. Two items jumped out.
CT WebHMI provides secure, realtime access to plant floor data from any Internet connection worldwide. The bi-directional interface lets remote users adjust switches and dials, […]

For some folks, the OSI Reference Model is just something we have read about in standards documents (or memorized the seven layer model for a certification exam or a job interview) but never actually used in the real world. This was true for me until I started looking at ICCP. (To be completely honest, I […]

It took longer than expected, but our first set of ICCP rules are available on the SCADA IDS site. Want to know why it took so long? Take a look at the ICCP stack in the diagram below.

It takes a lot of work or an ICCP client to compromise the integrity of an ICCP server. […]

I had a chance to quickly read through Kurtz’s new book, Securing SCADA Systems. At a 150 pages and many filled with diagrams it is a quick read.
Positives:

Chapter 2 gives some good examples of SCADA and DCS systems in oil/gas, power and water. This would help an IT person who doesn’t understand what […]

Now that I have your attention, you can quit reading since this is mostly an excuse to link to Phreakonomics (which is far more interesting than what follows here) and to one-up Dale’s last blog. Most interesting, was a quote from dailydave:
“There’s not an infinite supply of bugs, just lots of them. Like oil or […]