Between being the S4 chair and handling the Virtual Attendee chat and Q&A it was impossible to live blog at the event, but I was writing down some thoughts. Here they are in brief:

• The metrics paper from INL supported my belief that there is some great work going on at the labs that we just never see. I tweak INL often in the blog, but it is almost exclusively about releasing results and information to asset owners and the community. Many at the event were amazed and impressed by the caliber of this paper and presentation. Hopefully this reaction will encourage INL to push programs in a direction that allows more sharing of useful technical information like this.
• Dave Aitel’s keynote elicited a strong reaction to those in attendance. There were portions, such as attackers having all the control system source code, that may be a stretch. I enjoyed his discussion of how an elite attacker will develop, including the technical approach, and save his own exploits for future use and eschews the exploits found with common tools because everyone will have them.
• It didn’t take the attendees long to realize we were pounding them over the head from a lot of different angles with the theme that control system application vendors need to step up and integrate security into the development lifecycle, admittedly at not a small cost. Similarly asset owners must start asking to see copies of secure coding standards, security design documents, security in the QA plan, QA plan results, and other things that have been found to significantly reduce vulnerabilities in RFP’s. Hopefully some of the attendees will spread the message so we will not require the equivalent of Code Red and nimda in control systems before this effort is started.
• The netDDE paper and presentation snuck up on the audience like it did the Digital Bond team. It seems like just another set of poor application permissions, but the impact is much greater. I’ll blog on this tomorrow because there is a big difference between bad DCOM settings in OPC and vulnerable netDDE shares.
• Some serious work is going on out there to add security to control system protocols as evidenced in the detailed ISA 100, OPC UA and PCT presentations. We need a much larger group of security professionals to review these protocols.
• If you liked the virtual attendee option, and also the ability for physical attendees to watch replays, make sure to thank OSIsoft. We would have dropped the virtual option if we hadn’t received their support as a sponsor. In fact, OSIsoft has been very helpful to Digital Bond and other research organizations.
• The 2008 Proceedings Book is now available on Amazon.com and will soon be available on our site.

That’s it for S4 2008. We predict a sellout for 2009 so get to work on your ideas for a paper for S4 2009.