Friday News and Notes
A few odds and ends from the last three weeks:
- Very cool. Secure DNP3 products are becoming available. Secure DNP3 add new function codes to DNP3 to provide source authentication as well as content authentication. The latest example is in an RTU from Semaphore.
- GE has a new version of CIMPLICITY with some important new security features. I really like press releases and documentation that have clear features / benefits such as “CIMPLICITY 8.0 requires only a Microsoft Windows Vista/Server 2008 standard user account.” This is much better than a company announcing their systems are “industry leaders” or “secure by design”.
- On the other side of the press release equation is partnership announcements like Wurldtech’s strategic partnership with exida. It is hard to tell the impact of these partnerships. The vast majority in IT and control systems are minor marketing exercises, but occasionally they change the landscape. In this case it will be trying to marry security and safety efforts. [FD: Wurldtech is a Digital Bond client and has advertised on digitalbond.com]
- Just in case you missed it, a disgruntled ex-consultant intentionally disabled a leak detection system for an oil pipeline. Perhaps now we can finally retire the almost 9 year old Australian wastewater incident from control system security presentations.
Author: Dale Peterson
Posted: March 20th, 2009 under Uncategorized.
Comments: 4
Comments
Comment from Mike Toecker
Time: March 20, 2009, 3:24 pm
I’m optimistic about the GE CIMPLICITY improvements. I was getting tired of recommending that asset owners send push back to GE about security and upgrades for their MARK VI HMIs (which utilize CIMPLICITY).
Mike
Comment from Jake Brodsky
Time: March 20, 2009, 8:14 pm
Your wish for the Maroochy crime to disappear isn’t likely to happen. Despite all the cases since then (and there have been many), Boden’s crime in Maroochy Shire will remain a classic case study. It is well documented, and it was one of the first of its kind.
In other news, several groups have written Secure Authentication code for DNP. They appear to be quite compatible (it is always a good thing that the specification results in something that isn’t mis-interpreted). I know of several places where it is being tested in real world environments right now. Things seem to be working mostly as expected, with very few surprises. Nevertheless, we’re still learning here.
In other words, Secure Authentication for DNP is not truly battle tested yet, and I strongly recommend that users contemplating this approach join the DNP User group (http://www.dnp.org) to exchange experiences with the new Secure Authentication features of the standard.
Comment from Ron Southworth
Time: March 22, 2009, 6:26 am
Hi Guys the classic example of the trusted insider and the disgruntled employee (contractor). I think this case will forever remain part of the SCADA security landscape especially early history, it is a shame that other examples since then are not published publicly either, such is life.
On the lighter side of life re Secure DNP3 guys, seems Aussies are amongst the vendors that are trying to make a difference eh?
Good to see and with the end user hat on I am really keen to see an effective key management methodology / technology deployment somewhere so we can start using this in our live systems. I still have visions of running around with a KVL3000 to perform key management and this will be one of those dejavois moments if it eventuates!
Comment from Rob Casey
Time: March 24, 2009, 9:00 am
Following up on Ron’s comment, effective implementation-wide key management methodology and deployment is a major issue that has yet to have a solid solution with wide industry consensus. While the change mechanism for update keys of “means external to the protocol” is wholly inadequate for unified implementation requirements, this definition is likely to be remain for a period of time given the broad scope that such updates may encompass. I understand that there are some efforts to define a common means of update key specification as part of the WITS working group, but I am unaware as to how progressed this effort is at this time.
Write a comment