Unfettered Blog

It’s the end of June 2014 and ICS cyber security is still an enigma to many

The past two weeks continue to demonstrate the lack of understanding about the unique issues of ICS cyber security – why isn’t it just IT. This includes the lack of understanding from private industry, DOD, DOE, and academia.

Are spies or malware in our ICS networks– who is really looking?

I have been concerned for years that companies have been monitoring corporate networks and extrapolating those results to the ICS networks. I know of only a few companies that have actual monitoring data from their ICS networks. The results are certainly different than those on the corporate networks.

Physical security is still a problem

I was in Washington DC to be interviewed for an upcoming TV show on cyber security. We spent about an hour filming in front of two critical infrastructure sites. No one came out to see who we were or ask what we were doing. What if we were bad guys?

ICSs and the Internet – what is actually happening

Many ICSs are connected to the Internet and it isn’t expensive to find them. ICSs continue to be connected to the Internet even though they may not be cyber secure. Be careful what you ask for - you just might get it.

Why the Bridge Still Needs to be Built Between Operations and IT

To many in the IT community, the gap in understanding industrial control system cyber security is gaping. I was drawn to a May 29th Dark Reading article titled “Large Electric Utilities Earn High Security Scores as the title seemed to be at odds with what I have seen.

2014 ICS Cyber Security Conference – Mark Your Calendar

It’s official! The 2014 (the 14th) ICS Cyber Security Conference will be held October 20 – 23, 2014 at the Georgia Tech Hotel and Conference Center in Atlanta. As with previous ICS Cyber Security Conferences, the agenda will not be complete until shortly before the conference to accommodate the most...

Video game on hacking control systems

There will now be the opportunity to turn loose a generation of hackers honing their control system hacking skills on video games. According to the videogame trailer, the game simulates more than 60 different hacks from your cell phone where you can manipulate traffic signals, cause blackouts, etc.  

The electric industry still doesn’t understand what sophisticated attackers are after

Stuxnet and Aurora are not traditional network vulnerabilities and cannot be found or mitigated by using traditional IT security techniques. The Smart Grid NISTR-7628 and NERC do not identify design features that can be exploited. There is a disconnect between what the electric industry is trying to protect and what...

Keynote presentation at Stanford University cyber security workshop

I will be delivering the keynote at the May 31, 2014 ECSaR 2014 Workshop on Engineering Cyber Security and Resilience at Stanford University. The agenda can be found at www.ECSaR-2014-Program.docx. Details on the overall conference can be found at http://www.scienceengineering.org/ase/conference/2014/cybersecurity/sanjose/website/138-2/.

DOE Cyber Security Procurement Language – Is It Comprehensive Enough

DOE recently issued their revised report on Cyber security procurement Language for Energy Delivery Systems dated April 2014. The report is an update on the 2009 INL report. The report does a good job of addressing communication networks and traditional IT issues.