I hope you had a chance to listen in to the Industrial Defender sponsored webinar on Tuesday. If not click on this link to hear Patrick Miller, Eric Byres, Andrew Ginter, Mark Zanotti and myself opine on the subject.
I think the webinar had a great overview on Stuxnet from Patrick Miller and some additional detail [...]

I participated in a Stuxnet panel put on by Industrial Defender earlier today. ID need a great job organizing it, and I thought Patrick Miller’s summary at the beginning was perfect for someone wanting to get a quick understanding of Stuxnet. I’ll blog more thoughts on the panel and questions that can’t be answered when [...]

SCADA-targeted malware was inevitable and I suspect, despite the fact that it took this long to happen, that we haven’t seen the last of it. There’s a forrest and trees lesson here that I hope we learn through this. Before we get too carried away on a specific vulnerability and throwing stones at software vendors, [...]

Pay attention to the P in Advanced Persistent Threat [APT]. Most of the attention paid to the trojan with a payload targeting Siemens control system applications has been on the Advanced nature of this malware. And that attention is warranted because there has not been a public example of malware targeting control systems prior to [...]

If you don’t have the time to read a 120 page report, take a quick look at the 19 report overview slides. A true, directed cyber or blended attack is what makes risk management for control system cyber security so difficult. Talk to an moderately skilled hacker with control system knowledge and then will tell [...]

Loyal blog readers know we have been talking about and tracking the increased use of cellular modems in SCADA systems. These are often accessible from the Internet, almost always accessible by other users with service from the same cellular company, and so far always been installed in the default, insecure installation. So a recent article [...]

That was the question Ralph Langner asked in a comment on a Friday News and Notes item, and then he and Michael Toecker had an interesting back and forth. Here is my two part answer.
1. Because when you have an IP network, a small segmented island can intentionally or mistakenly get routed almost anywhere. And [...]

I’ve really been enjoying PJ Coyle’s Chemical Facility Security News blog the last few months. An entry this week on the Chemical Security Board’s Inherently Safer Technology tied into one of my entries earlier this week on MTTR. Here are the key paragraphs to the analogy:
First off, inherently safer technology (IST) has always been a [...]

The anti-virus update problem provides yet another education and awareness opportunity. Maybe you were skilled or lucky enough that this did not affect your control system at all, or only a portion of the system because of staggered av updates. But if it did, how long would it take you to recover? To make the [...]

The first potentially successful effort in the US to have a control system security standard that had must and shall requirements and an audit plan was NERC CIP for the electric sector. The standards were first written broadly with general security requirements that could be met with a number of implementation choices that a security [...]