First things first, we’ve been given the application we’re going to access, we’ve built up our testing environment, usually a virtual machine or some sort, and we’re ready to get going.  The application in question serves as a SCADA server, historian, and can serve HMI displays through a native client or a web interface.  Using [...]

We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications.
Recently Daniel spent a couple of days black box testing a widely used control system application for an in-house project, and as we were writing [...]

The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that could be met with a number of implementation choices that a security [...]

Jason and I wrote a paper for S4 this year that attempted to create a configuration security metric for a control system component, such as a HMI, Historian, Realtime Server, … We cross referenced NIST SP800-53 against available configuration data from Bandolier to come up with a set of configuration related categories and [...]

We’ve covered a number of ways to safely and effectively use Nessus in control system environments, most notably using the Bandolier security audit files in conjunction with the Nessus policy compliance plugins. In my post about NERC CIP 007 R1 Testing, I alluded to file integrity checking for Linux and Unix servers. Since we haven’t [...]

Bandolier is our DOE-funded project where we are working with control system application vendors to define optimal security configuration for the various components (HMI’s, Historians, Realtime Servers, etc…). We then develop Nessus audit files that allow an asset owner/operator to audit their systems. Loyal blog readers have heard us discuss many facets of the project [...]

We’ve had a lot of posts about fuzzing on the blog lately. We’ve looked at the latest technologies and techniques, we’ve talked about fuzzers, intelligent versus dumb, some of the tradeoffs involved with design choices, and in the future we’re going to talk some more about some of the commercial offerings in the space [...]

Testing has always been part of making changes to a control system. When a change is made (e.g. new component, upgrade, patch), we have to know if everything is still going to work. Progressive asset owners have incorporated a security element into their functional testing for a while now. Some would even argue that it’s [...]

Digital Bond’s class, Using and Customizing SCADA Security Tools, was a sellout when first offered the day prior to S4 last month. It teaches advanced students how to use and customize the Bandolier Security Audit Files and the SCADA IDS preprocessors, plugins and signatures. The goal is to help asset owners and vendors take [...]

Fuzzing is growing up.  From the academics of the late 80s throwing random data at unix command line tools, to the early work by researchers and commercial groups in the last 90s and early 2000s, to the explosion of fuzzing topics at conferences around the world about 5 years ago its come a long way.
As [...]