Submitted by Heather MacKenzie on Mon, 2013-11-04 21:00
Today I am glad to be writing about a good news story. That story is that Belden's Eric Byres is being awarded the ISA (International Society of Automation) Excellence in Leadership award for his contributions to the automation industry in the area of industrial security.
This award must be particularly exciting for Eric because it is ISA's most prestigious award and is awarded by his peers, that is, members of ISA.
ISA President Terrence G. Ives remarked:
Submitted by Heather MacKenzie on Wed, 2012-08-01 21:00
Engineers as well as IT staff in the process control and SCADA industries have varying levels of knowledge about industrial cyber security. We come across this regularly when talking to people at industry events or speaking with customers or partners. To help you, no matter where you are in the learning curve, we have recently released a five-part video series.
This article summarizes the videos and provides you with direct access to them.
Submitted by ernest.hayden on Thu, 2012-07-26 12:54
Submitted by Eric Byres on Fri, 2012-01-20 14:08
I am flying home from Digital Bond’s S4 SCADA Security Symposium as I write this (BTW this was a stellar event where, even as a security expert, I learnt an amazing amount). After listening to two days of excellent, but scary talks, the first thing that comes to mind is “SCADA/ICS security is in worse shape than I thought”. Much worse shape…
Submitted by Eric Byres on Fri, 2011-12-16 09:31
On December 12, Rubén Santamarta publicly announced details of multiple vulnerabilities affecting the Schneider Electric Quantum Ethernet Module. These are serious vulnerabilities, involving hard-coded passwords that give an attacker complete access to the device. As Reid Wightman puts it
Submitted by Eric Byres on Wed, 2011-08-17 11:08
Last week I discussed the first steps to take to get started to improve ICS and SCADA Security in your facility. Those steps included:
- Step 1 - Conducting a Security Risk Assessment,
- Step 2 - Learning Industrial Cyber Security Fundamentals, and
- Step 3 - Understanding the Unique Requirements of ICS and SCADA Cyber Security.
This week I discuss the remainder of the process.
Submitted by Eric Byres on Wed, 2011-07-20 12:56
Submitted by Eric Byres on Tue, 2011-05-31 15:26
Submitted by Joel Langill on Mon, 2011-05-02 21:00
Nowadays Stuxnet has become a household term the second anyone talks about cyber security for industrial control systems (ICS). This sophisticated piece of malware first identified in 2010, showed just how powerful an ICS compromise could be in terms of both the impact to manufacturing operations and the possibility of mechanical damage. Was this an isolated attack, unlikely to occur again, or the beginning of a new era in ICS security issues?
Submitted by Eric Byres on Tue, 2011-04-26 21:00
One of the mantras about good SCADA security is that it is primarily dependent on people and processes, not technology.
Thus if you have an ICS security problem, first look for solutions such as user training or better processes rather than technology solutions. This sounds good on the surface, but I’m not sure it’s true.
Performing tasks securely just isn’t part of human nature. Doing them the easiest way possible is. Unless the secure way is also the easy way, security will lose 9 times out of 10.
Submitted by Joel Langill on Fri, 2011-03-25 10:10
Submitted by Joel Langill on Wed, 2011-03-23 16:23
One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.
Submitted by Eric Byres on Wed, 2011-03-23 10:17
Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.
Thirty-Four SCADA Product Vulnerabilities
On Monday an Italian “Security Researcher” published a raft of vulnerabilities (34 in all) against four SCADA products. Below are the affected products with links to the US-CERT announcements:
Submitted by Eric Byres on Mon, 2011-03-21 10:23
There has been a lot of media coverage and discussion of the Stuxnet malware, and its impact on industrial control system (ICS) and SCADA security. We are one of the groups guilty of creating a Stuxnet publishing industry.
Submitted by Eric Byres on Tue, 2011-02-22 16:27
Over the past four months, Joel Langill, Andrew Ginter and I have been working on a really cool research project. We have been investigating how Stuxnet would infect an industrial site protected by a “high security architecture.”
Submitted by Eric Byres on Fri, 2011-02-18 09:34
February has not been a good month for ICS and SCADA security, at least not if you want to feel secure.
Submitted by Eric Byres on Fri, 2011-02-11 15:21
Last week I had the chance to attend a very interesting seminar at the Stanford Research Institute called the DHS/SRI Infosec Technology Transition Council Meeting (ITTC). It wasn’t focused on SCADA or ICS or even Stuxnet, yet some of the talks had a lot of applicability to the control systems world.
Submitted by Eric Byres on Mon, 2011-01-24 10:12
Submitted by Eric Byres on Mon, 2011-01-17 21:00
Over the past month, there has been no shortage of reports on how Stuxnet is attacking the Iranian Nuclear Program. Unfortunately, good advice on what exactly Industrial Control System (ICS) owner/operators can do to protect themselves against Stuxnet (and its future offspring) is in short supply. In fact much of what passes as technical guidance is either too IT-focused or simply wrong.
Submitted by Ron Southworth on Tue, 2010-12-21 21:00
In reviewing material about Industrial Control Systems (ICS) there is one element that, in my opinion, is the most important factor to consider - especially in light of the recent hubbub about Stuxnet and ICS Security. That element is human centered design.
Every aspect of the control system life cycle, whether it is Concept, Design, Construction, Operation, Maintenance, Safety or Security, includes the human element. It is nothing new, but we all see time and time again where human factors, rather than technical factors play a major role in security and or safety issues.