Unfettered Blog

The Next Catastrophe

In Saturday’s SCADAlistserver, the following note was provided: “We are not safe. Nor can we ever be fully safe, for nature, organizations, and terrorists promise that we will have disasters evermore." So concludes this important and chilling book by Charles Perrow, professor emeritus of -sociology at Yale University.

Substation equipment and cyber issues

Substation equipment and cyber issues Much has been written about what did, didn’t, or could have happened with the recent Florida blackout. Any potential terrorism issues would be physical and/or cyber. Physical terrorism is generally visible and can be ruled in or out fairly quickly.

When everybody is in charge, nobody is in charge

This week’s Florida power outage and resultant shutdown of the two Turkey Point nuclear plants raises a very important issue that the government needs to address. Firstly, the protection systems at Turkey Point appeared to work as designed to protect the units from an outside disturbance (this was not a...

Wurldtech expands product offerings

From the release:  Industrial Cyber-Security Leader Introduces New Achilles™ Health Check Program for Operators of Global Critical Infrastructure Wurldtech™ Expands Security Service Portfolio; Offering Industrial Organizations a Simple, Cost-Effective Solution to Protect the Integrity and Availability of SCADA and Process Control Systems Worldwide VANCOUVER, BC – February 27, 2008 –...

Purchasing Language for SCADA systems…

Todd Stauffer of Siemens and I were discussing the need for critical engineering understanding when applying cybersecurity tools to plant level DCS and SCADA security the other day. Todd reminded me of the fact that there's a government funded organization called the Multi-State Information Sharing and Analysis Center that has produced...

SANS and the urban legend

Yesterday, SANS held a Webcast on “A Practical Approach to Cyber Security within Control System Environments”. The participants included representatives from SANS, Sandia, SRI, MIT Lincoln Labs, and ArcSight. There were several slides of interest as well as the basis for the entire presentation that need to be addresse...

About how risk management works…and doesn’t work

ISA SP99 is working on the Part II standard. The current discussion is on risk. I am including my response looking for discussion on this subject. My premise is that traditional risk methodology (frequency * consequence) does not apply to control system cyber security.

IT Security Still Does Not Get It!

I’m frankly tired of people telling me there is no difference between IT enterprise security and plant level IT security. They can blow on and on about that for all they want, but they can’t prove it. I CAN prove my assertion. Here’s more proof.

The IT Security Glass Ceiling

I received an invitation from the Center for Strategic and International Studies (CSIS) to attend (not participate in) an event: “Improving Cybersecurity: Suggestions from Private Sector Experts”.  The panel chair and panel participants are all from the IT security community. We still haven’t broken thru the glass ceiling. Joe Weiss...

Process Control Safety System Hack

One of the highlights of the Applied Control Solutions August Control System Cyber Security Conference will be a demonstration of a cyber attack on a typical process control safety system. The attack will traverse a firewall faulting both a typical controller and safety system without an indication at the operator...