Friday News and Notes
- The Big News this week is the rumor that Perry Pederson will be leaving DHS NCSD is in fact true. He is leaving the government for a job in private industry at the end of the month. This is a big loss for DHS, but best of luck to Perry in his new career.
- Mu Security has come out with an Achilles like protocol stack certification. Honeywell is the first company to have a MUSIC certified device.
- There is an organization I’ve been trying to chase down for a couple of weeks now, the Open SCADA Security Project. They have a wiki and say they are going to take the OWASP approach. My caution is I don’t know any of the leaders of the project and have had difficulty getting any information. What is their control system security experience? Are they with a vendor, asset-owner, university? All from one organization or an industry effort? Any of these answers are fine, but transparency is very important if you are asking people to trust and contribute to an effort like this.
- ISA is considering distributing DHS’s CS2SAT self-assessment tool in the near future.
- The DHS CSSP Catalog of Control System Requirements that was released a few weeks ago was pulled out of circulation for some editing. There is some politics here that I was unable to learn the dirty details. This is a shame because it was very useful, if not perfect, in its current form.
- The Industrial Ethernet book has a copy of Byres’ et al paper on the statistics from their Industrial Security Incident Database. This is not new information, but I’m not sure I have seen this paper available on the web before.
- On a personal note - I’m proud to say that this week the number of total number of comments on this blog (582) exceeded the total number of blog entries (578). This is big because the blog entries had about a 300 entry lead last year. A large number of the comments are well written, informative, logical and highly interesting - - even when they completely disagree with something we wrote. Thanks to all who have commented and improved the content in the blog.
Author: Dale Peterson
Posted: August 17th, 2007 under Uncategorized.
Comments: 9
Comments
Comment from Ralph Langner
Time: August 20, 2007, 6:06 am
As we had been talking about vaporware, eh, marketing before… While reading through Mu Security’s stuff, I came across the term “zero-day vulnerability”. Damn! I have heard about zero-day exploits, but not about zero-day vulnerabilities! Did I miss something, or are we experiencing progressive nonsense marketing assaults on unsuspicious buyers’ brains? 
Comment from Bryan Singer
Time: August 20, 2007, 11:59 am
I suspect more of a mangling of terms. By definition, zero day exploits are those that come out before there is a patch available, or one that is widely available. Aren’t they all zero-day at some point?
I think a more appropriate statement would be “previously unknown” or “newly exposed” or something of that nature.
Marketeering can be an interesting game, and one in which those pedaling the information should be cautious of the terms that they use….
Comment from Ralph Langner
Time: August 20, 2007, 2:22 pm
Bryan, my bet is that two or three years down the road we will see a bullet point labeled “zero-day” in some marketing collateral. Well, let’s see it in a positive way: Probably it’s just an indication that the marketplace is beginning to take shape if market players start coming up with cool nonsense lingo to promote their products. My only concern here is that the more serious, down-to-earth guys like Dale will be left behind as they will hardly want to keep up with such, eh, terms of the trade.
Comment from Ron Southworth
Time: August 20, 2007, 6:01 pm
Hi Dale,
With respect to the human side of our small industry.
There seems to be a bit of movement at the moment- must be the time of the year for change!.
Perry has done a great job in his role with DHS. I hope his successor will be every bit as effective and forward thinking as he was, and can continue building the spirit of collaberation and provide the types of environments and necessary focus and direction to where we need to be heading as an industry.
With respect or lack thereof from marketing language. I suspect we all have our engineering hat’s on so it is very difficult at times to see what all the tech speak is really trying to acheive. Remember if you are out of your comfort zone you are more likely to purchase! I think in the end the more savvy reader will see beyond the glossy finish and to the substance of the particular good or service. I always remember something I was taught a while ago. If an engineered product needs all that hype to sell it - what is wrong with it ?? A good product with a little raising of market awareness will “sell” itself!
Comment from Stephan Beirer
Time: August 21, 2007, 3:53 am
remember the days when it was cool to add a “@” or “e” prefix to
common words? thank god this horrible hype is over..;)
Bryan: there are a lot of non-ZD exploits. For example all the exploits reverse-engineered from a vendors patch.
Comment from Dale Peterson
Time: August 21, 2007, 7:19 am
Stephan - I almost blogged on something similar but didn’t want to bash Tipping Point more than I already had.
There was an article on how attackers could reverse the zero day initiative IPS signatures to learn about attacks before patches are available. They then tweak the attack to avoid the signatures pattern recognition.
http://www.darkreading.com/document.asp?doc_id=130313&f_src=darkreading_informationweek
Comment from Ralph Langner
Time: August 21, 2007, 7:34 am
Interesting read, Dale. Brings us back to the point: “ZDI is just a publicity stunt.”, as Errata Security CEO Robert Graham puts it.
Comment from cnioperator
Time: August 21, 2007, 7:42 am
On the protocol stack testing news, now we (end users) get to pick MUSIC and/or Achilles. So now I need to understand the relative merits of each “certification” and decide which I will require of any new control systems I buy. I guess this is something we’ll have to accept as growing pains of the SCADA security industry.
Comment from Dale Peterson
Time: August 21, 2007, 8:24 am
cnioperator - I’ve been hesitant to dive into this Music / Achilles competition in the blog because I’m clearly biased. Digital Bond threw our support behind Achilles and listed the reasons in detail on the blog, and as a paid consultant we helped structure the effort and evangelize it in the community.
That said, it really is not a market unless there is more than one vendor offering the product or service. There are probably at least two markets, one for this type of device as a QA tool for vendors and a second as a certification that asset owners consider in purchasing decisions. The later is likely to be dominated by the certification that the majority of vendors decide to get to meet asset owner demand. Unless they get both which seems unlikely at this point.
Write a comment