The field of auto hacking continues to grow, and we have our first auto hacking tool – called CarShark of course. The challenge is in intercepting the signals more than hacking the systems in the car. The question is why would an adversary want to do this? Where is the profit or gain? Besides doing [...]

A lot of noise this week, but only two items for the News and Notes.

NERC asked all members to provide information on the number of Critical Assets they have today under CIP, and how many they would have under the draft CIP-002-4. The draft version is much more detailed on what is and isn’t a [...]

The Associated Press reported that DHS is now in the control system security assessment and incident response business. Well not really, the work is provided free of charge with a $10M budget this year and $15M next year. “So far, said McGurk, the teams have done 50 assessments and have been dispatched 13 times to [...]

For the past couple of weeks I have been discussing the basics of Metasploit. There was a minor version update, 3.4.1, that came out late last week. A few interesting updates arrived in 3.4.1, including a limited version of the Meterpreter that runs on PHP. There is also a Meterpreter extension named ‘RAILGUN’ which lets [...]

A busy week in control system security.

We talk a lot about fuzz testing at S4, in classes and occasionally on the blog. Here is a novel idea from a Microsoft blogger, develop your software in a way that makes man-in-the-middle fuzz testing easier. [hat-tip: Bryan Owen]
A Control Design article gives an example of a configuration [...]

The National Security Agency will be monitoring US corporate networks in a program called Perfect Citizen “to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants” according to the WSJ. Participation in this program will be voluntary, but the government has a lot of [...]

I spent some time last week working with the Nessus Cisco IOS compliance plugins. My testing and blog post mostly focused on routers but a great comment from Michael Toecker got me thinking about network switches and their role in control system security. They are an important, but often overlooked, element of control system IT [...]

Industrial Defender adds HIPS/HIDS to there control system security product line. This is a private labeling of the CoreTrace white listing solution, although Andrew Ginter indicated they are looking at adding some control system specific features. CoreTrace is making some inroads into the control system space.
A thread on a Foxboro list talks about some performance [...]

Protecting Industrial Control Systems From Electronic Threats by Joseph Weiss
7 Word Review – Missing: a quality editor. Pass on this.
Joe Weiss’s, one of the pioneers in control system security, attempt at writing an overarching book on control system security is almost unreadable. It meanders, doesn’t provide information or opinions in a coherent way, and continues [...]

An amusing article on life for a Fanuc 430iL industrial robot after it is retired. It now has gotten its big break in TV advertising.
Meterpedia.com maps out where smart meter projects are happening in the US and around the world. Click on one of the AMI pins and you will see some details on the [...]