industrial security

You have likely never worried about the possibility of a high school geek doing some programming that affects your home water quality. Well, neither had I until I learnt that some municipal networks have no security between the network their schools use and the one that runs their water/wastewater facility.

One of the major differences between industrial networks and enterprise networks is that industrial networks are typically managed by engineers or technicians. Now engineers are experts at making good product, designing control loops and so on, but they are not IT security wizards. That's the reality, and it means that security products that "just work" reliably and safely with automation systems are going to be more effective in actually delivering security than products that don't.

Jeff Smith of American Axle & Manufacturing (AAM) is a guru in the world of industrial Ethernet networking and ICS Security. We were fortunate to have him speak again at the 2013 Belden Industrial Ethernet Infrastructure Design Seminar.

You may have heard some buzz in the press (both US and International) about the release of the Cybersecurity Framework Draft from the US National Institute of Standards and Technology (NIST). However, you may not know much about its background. And you probably don’t know what it may mean to you as a control or security professional. This blog post will give you a high level overview of the genesis of this document and some handy points of reference.

In last week’s Practical SCADA Security blog, I discussed how the new vulnerabilities discovered in DNP3 SCADA masters are carving big holes in the NERC’s concept of the Electronic Security Perimeter (ESP).

If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for 9 products using the DNP3 protocol have been released by the ICS-CERT, with another 21 SCADA product disclosures on their way.

Eric Byres: One of the statements I continue to hear as I talk to executives, managers and engineers is "None of our SCADA or ICS equipment is accessible from the Internet." So this week’s blog contributor, Bob Radvanovsky, of www.infracritical.com, explains Project SHINE – his effort to determine if this statement is fact or fiction.

Shining a Light on a Big Problem

By Bob Radvanovsky

In a recent blog article – Chicken, Egg, and Chicken Omelette with Salsa – Dale Peterson is squawking like a rooster. Nothing new, but this time his message is scrambled. He once again referred to me as a SCADA Apologist, though this time he also labeled me the “salsa” that accompanies a chicken omelette.

Recently there was a thread on SCADASEC news, a restricted access critical infrastructure mailing list, about the challenges of firewalling BACnet networks. If you only work in the industrial automation space, you may not have heard of this protocol, but it is big in building automation. Regardless, the discussion around BACnet applies to many industrial protocols.

Our last blog, contributed by Thomas Nuth, highlighted the fact that industrial cyber security is now being discussed by heads of state within the international community - the Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year being just one indication of the importance being attached to th

Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year is just one indication of the importance being attached to this issue.

In my last blog, I shared some secrets on how to successfully use patching in SCADA and control systems.

This week, I’ll look at the pros and cons of using compensating controls as an alternative to patching, and discuss the requirements for success.

If you have read my previous blogs on patching for control system security, you might think I am completely against patching. Guess what? I’m not against them!

In my last blog, I discussed the reasons why critical industrial infrastructure control systems are so vulnerable to attacks from security researchers and hackers, and explained why patching for such systems is not a workable solution.

As regular readers of this blog know, after Stuxnet, security researchers and hackers on the prowl for new targets to exploit shifted their efforts to critical industrial infrastructure.

Unfortunately, the Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) applications they are now focusing on are sitting ducks.

Last week I received am email (shown further down on this page) purporting to be from the US Internal Revenue Service (IRS).

Editor’s Note: This is an excerpt from ISSSource.

It wasn’t that long ago when cyber security seemed like a foreign language to those folks entrusted with running companies. It was not like they didn’t know about it, but it just was not top of mind.

Not anymore.

With cyber threats evolving to the point where they are affecting their companies and their customer’s companies, chief executives are taking a new look and approach to how they attack cyber security.

Editor's Note: this is an excerpt from the Pike Research Blog.

The story goes that a group of business people were stranded on a desert island with a bountiful supply of canned and therefore imperishable food, but no way to open the cans. As the group struggled to find a solution the lone economist in the group piped up, “Assume a can opener…”

We all agree that SCADA and Industrial Control System security needs to improve. However there is a lot of disagreement on what exactly needs to happen to make security for industrial systems easier to deploy and more effective.

As a reader of this blog you likely don’t need to be convinced that SCADA and ICS Security need to be greatly improved. There are several ways to go about accomplishing that, and I am glad that there is a healthy dialogue underway on this topic within the industrial security community. This includes the back and forth between myself and Dale Peterson of Digital Bond, that continues with this article.