A friend and I were discussing some new security features in a well known brand of Programmable Logic Controller (PLC). The features are almost exactly what most IT security experts have been demanding for years. Unfortunately, they are also very complex, arcane, and difficult for a typical engineer to want to mess with. If it [...]

Although I was invited to attend one of Joe’s social gatherings several years ago, I have never attended any of his conferences, until this past week.  Despite the fact that critics of Mr. Weiss have stated that he is self-serving, contrary to popular belief, he is not.  Joe encourages people to meet, network and discuss [...]

Chris Blask wrote a very thoughtful blog at Infosec Island.  However, I think he glossed over some things that probably need to be addressed. The first sentence shows some problems right away: “The root problem with SCADA security is that control systems have been built on the concept that devices can be trusted.” As any [...]

In his recent post, Dale Peterson accuses control system vendors of being lax about security. I can’t say I disagree that Siemens could be doing a much better job handling the security flaws they’ve been hit with following Stuxnet and later with NSS Labs discoveries. However I think Dale oversimplifies the situation by suggesting that [...]

Codenamed “NINJA”, is an acronym meaning “Network INtelligence Joint Analysis“. The idea or notion behind this project is to provide a method by which to test, evaluate and enumerate serial and/or network connected SCADA and control systems devices. This project makes use of Fyodor’s Network Mapper (NMAP) utility, and all scripts written and provided by/through [...]

Many of you in IT departments may be wondering why there is such a cultural gulf between Operations and IT.  Here’s what it looks like from the plant floor: Because of the way that IT departments are tightly coupled to many parts of the company, if anything is amiss, it will usually manifest itself in [...]

One of the oldest projects of the DNP Technical Committee has been the ongoing effort to write a comprehensive Master Station test procedure.  It is a long, difficult thing to do. Unlike the remote side of a SCADA system, not only does the Master Station has a complex job to communicate correctly with an outstation, [...]

Beyond the Control System Cyber-Security: What Should the Process do?

  I have taken a bit of vacation away from comment and analysis of various aspects of critical infrastructure.  This is a good thing as you can become stale, stilted, and loses objectivity on a topic.  It is the objectivity issue that was just brought home in a blinding flash, quite literally. As you probably [...]

If I may make a comment about this very topic… Let me see if any of these items are true (I may not have ALL items listed, so don’t crucify me): (1) Communications (both data and voice) has gone to the Internet; private communications connections now exist thru VPN connections. (2) Private communications used to [...]