Code signing is a security feature that has been around for quite some time, and has been proven in many other areas, but is uncommon to find it in any control system component and very rare to find in control devices where firmware uploading is an important feature.  Without a doubt the technology is useful, [...]

When stories about Internet based attacks on control systems, like the 60 Minutes story, appear on sites like Slashdot, most people question the need to attach the control network to  another network.  In my previous position at a National Laboratory, I have seen proper network segregation implemented successfully, though at times it can be a [...]

I’ll start off by saying don’t believe all the FUD that’s been going around, we all know how many members of the media area when they get hold of a story, especially one that can have a date in the future to speculate on.
That said, there are definitely some interesting things going on with the [...]

Or: “A Few Simple Suggestions for Improving Core Control System Security”
The core precepts of IT security are confidentiality, integrity and authentication, precepts not present in the design of most control systems, but there are some simple changes whose implementation would serve to greatly improve the security of control systems. Changes which could be readily and [...]

One of the most common exceptions to best practice is operators in the control center share an operator account. In fact, they do not login or logout out at all. The main reason for this is operators cannot risk losing access to the HMI for even a few second or minutes it takes to login [...]

Loyal readers of this blog know I’m a huge proponent of strong, two-factor authentication solutions to prevent all the vulnerabilities in password authentication. Two factor is based on having two of the three factors:
- something you know (a password)
- something you have (a token or smartcard)
- something you are (a fingerprint)
At Distributech I came across [...]