Unfettered Blog

Security mindset (or the lack of it)

It has become clear to me there is a difference between how IT and Operations approach security. The IT security organization is very focused on security, sometimes to an extreme. The Operations organizations generally pay lip service. 

“A little rant on patching…” from Eric Byres

:  Most IT professionals are pretty confident that we know what applications and operating systems are running on our desktops and servers. So when a vendor like Adobe releases an announcement of some new critical vulnerability (

The Next Catastrophe

In Saturday’s SCADAlistserver, the following note was provided: “We are not safe. Nor can we ever be fully safe, for nature, organizations, and terrorists promise that we will have disasters evermore." So concludes this important and chilling book by Charles Perrow, professor emeritus of -sociology at Yale University.

Substation equipment and cyber issues

Substation equipment and cyber issues Much has been written about what did, didn’t, or could have happened with the recent Florida blackout. Any potential terrorism issues would be physical and/or cyber. Physical terrorism is generally visible and can be ruled in or out fairly quickly.

When everybody is in charge, nobody is in charge

This week’s Florida power outage and resultant shutdown of the two Turkey Point nuclear plants raises a very important issue that the government needs to address. Firstly, the protection systems at Turkey Point appeared to work as designed to protect the units from an outside disturbance (this was not a...

Wurldtech expands product offerings

From the release:  Industrial Cyber-Security Leader Introduces New Achilles™ Health Check Program for Operators of Global Critical Infrastructure Wurldtech™ Expands Security Service Portfolio; Offering Industrial Organizations a Simple, Cost-Effective Solution to Protect the Integrity and Availability of SCADA and Process Control Systems Worldwide VANCOUVER, BC – February 27, 2008 –...

Purchasing Language for SCADA systems…

Todd Stauffer of Siemens and I were discussing the need for critical engineering understanding when applying cybersecurity tools to plant level DCS and SCADA security the other day. Todd reminded me of the fact that there's a government funded organization called the Multi-State Information Sharing and Analysis Center that has produced...

SANS and the urban legend

Yesterday, SANS held a Webcast on “A Practical Approach to Cyber Security within Control System Environments”. The participants included representatives from SANS, Sandia, SRI, MIT Lincoln Labs, and ArcSight. There were several slides of interest as well as the basis for the entire presentation that need to be addresse...

About how risk management works…and doesn’t work

ISA SP99 is working on the Part II standard. The current discussion is on risk. I am including my response looking for discussion on this subject. My premise is that traditional risk methodology (frequency * consequence) does not apply to control system cyber security.

IT Security Still Does Not Get It!

I’m frankly tired of people telling me there is no difference between IT enterprise security and plant level IT security. They can blow on and on about that for all they want, but they can’t prove it. I CAN prove my assertion. Here’s more proof.