Archive for 'Calculating Risk'
Automatic Patch-Based Exploit Generation
Reversing patches to create exploits is nothing new, and it tends to occupy the time of a lot of security researchers around the 2nd Tuesday of every month, but an interesting research paper was published recently from a few graduate students at CMU, Berkeley, and Pittsburgh that offers a new twist on an old topic. […]
Author: Daniel Peck
Posted: April 24th, 2008 under Calculating Risk, Development Tools.
Comments: none
Shameless Marketing FUD and Hype
I’m sure many of you have been spammed by an email from TDI about a “NERC CIP Cyber Asset Alert”. I personally received three alert emails plus a blog spam. We get a lot of this type of material, but this one topped anything we have received lately in pure FUD and hype to promote […]
Author: Dale Peterson
Posted: April 10th, 2008 under Calculating Risk, NERC CIP.
Comments: 2
Is It Worth It?
In last week’s Friday News and Notes we mention a story on access and management of PLC’s via Blackberry. This relates to one of the frequent and interesting discussions we have with asset owners when they are considering exposing their control system in new ways. What are the benefits of this increased exposure and is […]
Author: Dale Peterson
Posted: March 9th, 2008 under Calculating Risk.
Comments: 5
FPL - - Whatever Happened at Browns Ferry?
While I live in South Florida, I was in California during the short FPL blackout yesterday. At dinner with some other control system security professionals the talk obviously went to the FPL event. A few interesting points:
- Since this affected the Turkey Point nuclear plants we may get a NRC report on the incident. So […]
Author: Dale Peterson
Posted: February 27th, 2008 under Calculating Risk, US Government.
Comments: 6
Lack of Information and Parsing Words
Alan Paller of SANS has been talking about cyber extortion attempts of utility companies for over a year now, and we now have Tom Donahue, a CIA-rep, on the record.
“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some […]
Author: Dale Peterson
Posted: January 21st, 2008 under Calculating Risk, US Government.
Comments: 9
S4 Preview - DHS Funded Ideal Driven Technical Metrics Paper
The second S4 paper on control system security metrics comes from a DHS NCSD supported project that teamed INL researchers with Marie Farrer of Securicon and Zach Tudor of George Mason University. Miles McQueen and Wayne Boyer are letting have selected Sean McBride of INL present the paper: Measurable Control System Security through Ideal Driven […]
Author: Dale Peterson
Posted: December 10th, 2007 under Calculating Risk, S4.
Comments: none
Scenario-Based Risk Modeling
We have two papers on security metrics at S4. The first is from Ralph Langner, who wrote the great paper on OPC server resource exhaustion attacks at S4 2007, and Bryan Singer who you all know. They both came in independently with similar abstracts, so it only made sense for them to pair up on […]
Author: Dale Peterson
Posted: November 28th, 2007 under Calculating Risk, S4.
Comments: 3
Wireless Learn from Windows Lament
The 90’s were filled with hope on the IT / SCADA front. Asset owners could save money by just moving to the Windows platform. Put web servers in most systems so the browser is the easy to use, universal GUI. Connect everything so information can be used throughout the organization and control can occur wherever […]
Author: Dale Peterson
Posted: September 27th, 2007 under Big Picture, Calculating Risk.
Comments: 1
Risk, Threat and Wireless
Wireless for control systems has been a hot topic for a few years now, and recently we have been treated to the efforts of different groups, i.e. ISA 100 and WirelessHart, to develop a standard that includes security. Which leads to the question how does the use of wireless increase the risk to a control […]
Author: Dale Peterson
Posted: September 25th, 2007 under Calculating Risk.
Comments: 14
Podcast with Joe Weiss on Control System Security Awareness
In our latest podcast I talk to Joe Weiss about the state of security awareness in the control system community. We talk a little bit about the past and how we got there, but most of the focus is on where we are today. Do asset owners and vendors understand the problem? Are some industry […]
Author: Dale Peterson
Posted: July 12th, 2007 under Calculating Risk, Conferences.
Comments: 1

