Blogs

Nanny nanny boo boo…or is it? Walt Boyes comments…

Today, we received a press release from a security company, announcing that they had found a vulnerability in a piece of third-party software. We often get these. I'm not naming names. What we DON'T get, however, is the context.

A complete, and still generic, response to Mark

Since Mark has brought up the issue, I think it is time for a complete response. It may ruffle some feathers. When I first got involved in cyber security at EPRI in February 2000, we had to make a decision as to what should be the scope of the program.

If pigs could fly…

I had a telephone and email exchange today with an international electric industry security standards committee that I would like to share. It goes to the heart of the issue that there is little knowledge and understanding of control system cyber security issues and the resulting training that is required.

From Jake Brodsky: Why we need security audits

--------------------------------------------------------------------------------  I suspect many of you know me. I'm Jake Brodsky. I write online about SCADA from the perspective of an asset owner. A lot of people tell me I write good stuff. Most think I have my hea...

More from the St. Mary’s Cyberterrorism and Law conference

I had the opportunity to attend and participate in the St. Mary’s University Cyberterrorism Law Conference in San Antonio Wednesday and Thursday. There were several interesting observations: - Since the focus was cyberterrorism, the conference was heavily tilted the government and DOD.

Wurldtech’s Industrial Cybersecurity Database Launches

From Bryan Singer at Wurldtech: Wurldtech is launching an applied research project which I think would appeal to folks like yourself. The planned undertaking is the largest study of its kind, examining the cyber security threats and vulnerabilities present in currently deployed control systems.   By leveraging the Achilles platform...

Now, about those spare parts…

I am at a cyberterrorism and law conference in San Antonio.

Security mindset (or the lack of it)

It has become clear to me there is a difference between how IT and Operations approach security. The IT security organization is very focused on security, sometimes to an extreme. The Operations organizations generally pay lip service. 

“A little rant on patching…” from Eric Byres

:  Most IT professionals are pretty confident that we know what applications and operating systems are running on our desktops and servers. So when a vendor like Adobe releases an announcement of some new critical vulnerability (

The Next Catastrophe

In Saturday’s SCADAlistserver, the following note was provided: “We are not safe. Nor can we ever be fully safe, for nature, organizations, and terrorists promise that we will have disasters evermore." So concludes this important and chilling book by Charles Perrow, professor emeritus of -sociology at Yale University.