March 2011

Facebook Wins at the Oscars, Fails at Security

The Oscars are over and the film about Facebook, The Social Network, won three awards. Pretty good – I saw the movie and thought it deserved a few gold statues.

But just as I was getting ready for the Oscar weekend, I received the following email from Facebook:

From: Facebook
Sent: Friday, February 25, 2011 1:17 PM
To: Eric Byres
Subject: Joe Smith posted on your Wall.

ISA99 Stuxnet Gap Assessment – Why It’s Important

Last week the International Society of Automation (ISA) announced that a new committee, ISA99 WG5 TG2, has been struck to conduct a gap analysis of the current ANSI/ISA-99 standards with respect to Stuxnet. The goal is to determine if companies following the standards would have been protected from advanced persistent threats (APTs) such as Stuxnet. If not, then the committee will identify what changes are needed.

I have been asked to Chair the committee and I am writing today to let you know about its work, to explain why it is important, and to ask for your participation.

Summing up Stuxnet in 4 Easy Sections - (plus Handy Presentation)

There has been a lot of media coverage and discussion of the Stuxnet malware, and its impact on industrial control system (ICS) and SCADA security. We are one of the groups guilty of creating a Stuxnet publishing industry.

The Italian Job – Multiple SCADA / ICS Vulnerabilities Go Public

Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.

Thirty-Four SCADA Product Vulnerabilities

On Monday an Italian “Security Researcher” published a raft of vulnerabilities (34 in all) against four SCADA products. Below are the affected products with links to the US-CERT announcements:

More SCADA Security Threats: Where There’s Smoke, There’s Fire

One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.

Protecting your ICONICS GENESIS SCADA HMI System from Security Vulnerabilities (plus White Paper)

As mentioned in a blog article we wrote earlier this week, an Italian “Security Researcher” named Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products (the complete list of vulnerabilities and companies is provided in the earlier article).