The “news” that an attacker with network access could upload firmware to many controllers came out this week. This FOUO report has been floating around, and it seemed hard to believe it was FOUO. It is common knowledge in the control system space, not to diminish the fact it is another serious widespread control system [...]

UPDATE: 6:30PM, Dale
Final Thoughts
PCSF is not perfect, but it is my favorite event in the control system security space by far. One main reason is the number, variety and quality of attendees. The lunch, evening, break discussions were highly interesting and even three days had me scrambling to talk with all the people I’d like [...]

As a flurry of emails (about an as of yet not officially released control system vulnerability) show this morning, once a document goes online the damage is done. It is eternal, and it is virtually impossible to stop the dissemination of the document, or put the genie back into the bottle. This applies to any critical document be it [...]

UPDATE: Next day, Dale Peterson
I missed the Waterfall Solutions Unidirectional Connectivity presentation but caught up with them at the evening exhibit. They have a product that through hardware, I heard the term diode and optical communications, only allows one way communication. Hence they use the term unidirectional. It is an interesting concept that could be [...]

Vulnerability Disclosure Panel
See Digital Bond’s Take On Vulnerability Disclosure
Ted Angevaare of Shell is only interested in sharing any vulnerabilities with the vendor. Not a coordination center, not any public disclosure.
Nate Kube of Wurldtech does not believe in widespread dissemination of control system vulnerability information.
Art Manion of CERT/CC believes there needs to be a public record [...]

Next week should be a lot of info with the PCSF annual meeting and three from our team in San Diego. Only a couple of items this week.

Telvent issued a press release discussing their participation in Bandolier. The team there has been a great help in improving the OASyS DNA Security audit files.
Tripwire joins the [...]

Believe it or not research teams are not always marketing wizards, and even the best results can have little impact if the potential users don’t understand the value of the solution. So the DHS Science and Technology Directorate is putting a representative from all the research teams in the recently awarded contracts through SRI’s Value [...]

There has been a lot of talk about disclosure of control system vulnerabilities. We have been laying low on this issue and letting it percolate after disclosing to US-CERT the initial control system vulnerabilities and kicking the issue off at PCSF two years ago.
With another PCSF annual meeting and disclosure panel coming up next week [...]

Some companies, both vendors and asset owners, continue to give away the proverbial “baby with the bath water.” Case in point (from an article at automation.com but which was a general press release):
August 7, 2008 – Reykjavik Energy selected ABB to upgrade and integrate five utility automation systems – geothermal power plants, district heating, water and [...]

More exciting news from the Bandolier project… we are wrapping up some extensive collaborative testing with one of our vendor partners. It is the most thorough outside review of the Bandolier audit files to date and we are very pleased with the results. With each development and testing cycle, we are able to apply what [...]