Bryan Singer has a magnum opus post and a few predictions about upcoming cyber attacks and events on control systems. I know of a few non-governmental people working on some pretty compelling scenarios as part of quantifying risk projects.
Tomorrow, Sept 1st, is the deadline to join the ISA Security Compliance Institute (SCI) as a founding […]

After a fair amount of soul searching and delay, Digital Bond is finally releasing our iccpsic tool set to subscribers who are vetted asset owners.
This was a difficult decision because this tool set will crash vulnerable ICCP servers. It was what we developed and used to find a number of ICCP protocol implementation vulnerabilities, including […]

IEEE P1686 passed Working Group balloting, but the ballot is being recirculated after a few changes were made to the document.
A reasonable article from the business press on SCADA security this week at Forbes.com.
If you are in the electric sector in the Western US check out the Energy Security NW annual event on Sept 18/19 […]

It is so disheartening.
Secure By Default is a straightforward and critically important security concept. The default settings for a device or application should be secure settings so an administrator must turn off security to weaken rather than turn on security to strengthen.
My Secure By Default tale starts in June at the ISA SP99 Working Group […]

The 2008 Edition of the SCADA Security Scientific Symposium (S4) is January 23-24 in beautiful Miami Beach, Florida.
Remember the Call for Papers deadline is September 15th.
We are searching the world for the best research on control system security, and we want your help. Do you know a researcher doing important work? Send me his or […]

The headline on this blog is hardly shocking, but software quality does not get enough attention in the control system community. We now have three strong data points that show all OPC servers are not created equal.
1. The latest is Landon’s work to verify configuration recommendations in Part III of the OPC Security whitepaper series. […]

The Big News this week is the rumor that Perry Pederson will be leaving DHS NCSD is in fact true. He is leaving the government for a job in private industry at the end of the month. This is a big loss for DHS, but best of luck to Perry in his new career.
Mu Security […]

I pulled out the Mobile Podcast rig, a new toy, and took advantage of the gathering of experts to do a few interviews. Listen to them all or skip to the one you are interested in by noting the start time in the stream.

 

 Interviews at Joe Weiss's 2007 Event: Play Now | Play in Popup | Download

Introduction (0:00)
Dilemma of Water Sector Security with Jake Brodsky and Cheryl […]

First a little clean-up from yesterday on the demos in the afternoon.

The demonstrations showing DNP3 has no authentication to prevent an attacker issuing commands and the fuzzing of protocols caused denial of service is in fact almost identical to what Ganesh presented at Defcon - - only in a lot more detail. Both of these […]

Back again semi-liveblogging on day two at Joe Weiss’s conference. I think the day two agenda is the most interesting with sessions in the afternoon on field device vulnerabilities. Check back often for updates.
9:15AM - An overview of the Chemical Sectors efforts in control system security is presented by two individuals from Dow Chemicals. […]