Unfettered Blog

Lesson learned from the utility test bed- the system is broken

Last week, the utility met with one of their major ICS vendors to determine if the vendor would be willing to support the utility's test bed concept. The purpose of the test bed is to maintain or improve reliability with security being a potential impact on reliability not the traditional...

Medical device and control system cyber security

I attended the San Francisco Electronic Crimes Task Force Medical Device Security Conference. If they didn't continue to repeat the words "medical device", the conference could have been an electric, water, chemical, mass transit, manufacturing, etc control system cyber security conference.

Lessons learned to date on utility testbed

Even though we are just in the preliminary stages, there have been a number of interesting findings:- Even though there are a plethora of cyber security solution providers, very few actually understand the unique needs of the ICS community.- Many of the non-ICS technologies, though not developed for reliability, can...

Where are the control system cyber security solutions???

About a month ago, I issued a call for control system cyber security solutions to be evaluated by an electric utility in an actual utility setting. The utility has power plants, electric distribution and low level transmission, SCADA, Smart Grid, etc.

The threat to industrial control systems (ICSs) from Physical Persistent Design Features (PPDF)

Industrial control systems (ICSs) were designed for reliability and safety and to enable system operability and functionality. Many ICSs were originally designed before networking was commonplace. Consequently, cyber security was not a design consideration. There actually were many design features that would enable the systems to be more operator-friendly and...

RSA 2013 and ICS cyber security

The control systems used in critical infrastructures are different than those in traditional business IT systems. As mentioned in a previous blog, I am currently working with one of the only electric utilities in the US (they are not ready to identify themselves publicly) that is actually trying to secure...

SANS SCADA and Process Control Security Survey - the state of the industry is discouraging

SANS published their SANS SCADA and Process Control Security Survey. The results paint a very confusing picture and actually demonstrate the existing approaches to awareness and security are not working.

Looking for ICS cybersecurity solution providers willing to have their solutions evaluated

Do you have an ICS cyber security solution? One of the most progressive electrical utilities in North America is looking to engineer secure solutions. They also plant to share results with industry in the hopes of improving all systems.

NERC's cyber security approach is preventing the electric grid from being secured

Background: In computing, a denial-of-service attack (DoS attack) is an attempt to make a machine or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly...

What is Iran up to with control system cyber security

Last year, an engineer from one of Iran's largest engineering companies (or so we were told) provided an unsolicited paper on Stuxnet and antivirus to Walt Boyes at Control magazine. The article was a good technical article (see earlier blog on this subject last year).