Reversing patches to create exploits is nothing new, and it tends to occupy the time of a lot of security researchers around the 2nd Tuesday of every month, but an interesting research paper was published recently from a few graduate students at CMU, Berkeley, and Pittsburgh that offers a new twist on an old topic. […]

I’m sure many of you have been spammed by an email from TDI about a “NERC CIP Cyber Asset Alert”. I personally received three alert emails plus a blog spam. We get a lot of this type of material, but this one topped anything we have received lately in pure FUD and hype to promote […]

In last week’s Friday News and Notes we mention a story on access and management of PLC’s via Blackberry. This relates to one of the frequent and interesting discussions we have with asset owners when they are considering exposing their control system in new ways. What are the benefits of this increased exposure and is […]

While I live in South Florida, I was in California during the short FPL blackout yesterday. At dinner with some other control system security professionals the talk obviously went to the FPL event. A few interesting points:
- Since this affected the Turkey Point nuclear plants we may get a NRC report on the incident. So […]

Alan Paller of SANS has been talking about cyber extortion attempts of utility companies for over a year now, and we now have Tom Donahue, a CIA-rep, on the record.
“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some […]

The second S4 paper on control system security metrics comes from a DHS NCSD supported project that teamed INL researchers with Marie Farrer of Securicon and Zach Tudor of George Mason University. Miles McQueen and Wayne Boyer are letting have selected Sean McBride of INL present the paper: Measurable Control System Security through Ideal Driven […]

We have two papers on security metrics at S4. The first is from Ralph Langner, who wrote the great paper on OPC server resource exhaustion attacks at S4 2007, and Bryan Singer who you all know. They both came in independently with similar abstracts, so it only made sense for them to pair up on […]

The 90’s were filled with hope on the IT / SCADA front. Asset owners could save money by just moving to the Windows platform. Put web servers in most systems so the browser is the easy to use, universal GUI. Connect everything so information can be used throughout the organization and control can occur wherever […]

Wireless for control systems has been a hot topic for a few years now, and recently we have been treated to the efforts of different groups, i.e. ISA 100 and WirelessHart, to develop a standard that includes security. Which leads to the question how does the use of wireless increase the risk to a control […]

In our latest podcast I talk to Joe Weiss about the state of security awareness in the control system community. We talk a little bit about the past and how we got there, but most of the focus is on where we are today. Do asset owners and vendors understand the problem? Are some industry […]

 

 Digital Bond Press - Security Awareness: Play Now | Play in Popup | Download