Here is our list of the top ten control system stories for 2008. (See the 2007 list. See the 2006 list.)

1. Vulnerabilities Discovered by Non-Control System Company

Core Security and others outside of the control system community started testing freely available demo versions of control system applications – - and finding vulnerabilities. Control system security is less obscure.

2. PCSF Implodes

The Annual Meeting of the DHS sponsored Process Control Systems Forum (PCSF) was always, in our opinion, the best control system security event of the year. In addition to the information provided in the program, which varied in quality year to year, it was a great place to go and talk to all the active players in the control system security community. A lot of other groups tied meetings into this event. It was the control system harmonic convergence.

Unfortunately 2008 brought the demise of PCSF. DHS was not allowed to attend the PCSF meeting in San Diego due to questions about the legality of the funding mechanism and structure. The full story of why DHS can no longer fund PCSF has never been made public, and PCSF went away with a whimper. The site is no longer up. A real shame and a big void for 2009.

3. FERC Throws NERC Under The Bus / Congress Warms to Regulation

When Congress started looking at the electric sector control system security they were rough on FERC as well as NERC as well as the utilities. At the hearings in May it was clear that FERC had repaired any issues with Congress and now was pointing the finger at NERC and industry as the problem. By the end of the year the Congressional Committee was practically begging FERC to ask for legislation that would give FERC more regulatory clout.

Is it possible that NERC could be replaced as the ERO in the foreseeable future?

Congress seems to believe regulation is the answer. Congressional regulation is my best guess for the number one story for 2009.

4. Published Control System Exploit Code

Theory turned into practice in 2008 as Kevin Finisterre of Netragard published exploit code, in the form of a metasploit module, for the Citect vulnerability discovered by Core Security.

It is a bit surprising this did not happen earlier. We also saw more non-published exploit code for a variety of vulnerabilities being passed around.

5. Blue Ribbon Cyber Security Recommendations for Obama

Control system security had a prominent place in the CSIS recommendations to the next President. We didn’t agree with recommendations, but it is another data point on the increased attention to control system security.

6. SCADASEC List

The SCADASEC list started in early 2008 and was quite active. It was probably the place for control system vulnerability disclosure discussions. Often more heat than light, but occasionally some interesting entries and discussions.

Please every poster on the SCADASEC list resolve in 2009 to avoid quoting entire threads.

7. Control System Vulnerabilities As Candy To The Press

Find a vulnerability or just issue a colorful statement about the insecurity of critical infrastructure control systems and watch the stories flow.

8. Bandolier Security Audit Files

Ok. I’m probably a bit biased here, but the ability to identify and audit the hundreds of control system application specific security configurations is huge. No one, not even the vendor, could do this pre-Bandolier. Makes a big difference in the rigor of a control system security assessment.

9. CIA FUD

The quote from Tom Donahue from CIA with very non-specific information about electric utility intrusions still pops up in presentations. Please, if you can’t provide any details don’t bother with the FUD statements.

10. Water Sector Roadmap

The Water Sector showed a bit of activity this year with the issuance of the Water Sector Roadmap to Secure Control Systems. This was almost a carbon copy of the electric sector roadmap, and had some milestones that were doomed to failure from day one, but it was good to see the activity increase in this sector.

There were a lot of other efforts that made progress in 2008 such as security in OPC UA and Secure DNP3 protocols, protocol stack certification from Mu and Wurldtech, ISA SCI, SP800-82 …