I was waiting for something to inspire the March Monthly Checkup topic and the OPC Server Vulnerability Notes / Patching discussions came through just in time. Here are your check-up tasks for this month:
1) Verify management accepts the risks and approves your patching policy
Your patching process will implicitedly include an acceptance of risk. For example, […]

No Enterprise Network / Control System Firewall
Hopefully, you have implemented a firewall capability at the enterprise network / control system perimeter. Consultants use words like best practice, good practice, and recommended practice. There is another term consultants use: “standard of due care”. ISACA defines it as:
The standard of “due care” is that level of […]

On my way to S4 today I listened to a new podcast from Security Catalyst. I’m a new subscriber to the podcast and the variety of topics/topic differentiation kept me enthused. The author covered how the Energy Policy Act of 2005 will effect Daylight Saving time at the beginning of 2007. Effectively the dates have […]

Sometimes organizations have to accept risk rather than implement best practice or even standard of due care security controls. Ideally the organization has a security policy and has documented approved exceptions to this policy.
Even in cases where no policy exists and formal approval of exceptions is lacking, the operations team likely is aware of security […]

Malware is one of the most common causes, according to Eric Byre’s Incident Database and other sources, of cyber security incidents in control systems. Malware is introduced via laptops, administrator remote access, vendor remote access, unauthorized connections, and other sources. Your anti-virus provides important protection - - hopefully.
Too often we see the description of anti-virus […]

When doing assessments we almost always find unnecessary accounts and permissions in the SCADA application. Employees have retired or been reassigned but their accounts remain. Consultants, always a problem, needed access for two weeks but their accounts remain. Make sure everyone who has an account still needs that account.
The next step is to insure each […]

Answer these questions:
- How long would it take you to completely restore the minimum number of servers and workstations required to run your SCADA or DCS?
- How confident are you in the answer above?
- When was the last time you tested a complete restore (operating system, applications, configuration, data) of a key server? Can you […]