Unfettered Blog

Purchasing Language for SCADA systems…

Todd Stauffer of Siemens and I were discussing the need for critical engineering understanding when applying cybersecurity tools to plant level DCS and SCADA security the other day. Todd reminded me of the fact that there's a government funded organization called the Multi-State Information Sharing and Analysis Center that has produced...

SANS and the urban legend

Yesterday, SANS held a Webcast on “A Practical Approach to Cyber Security within Control System Environments”. The participants included representatives from SANS, Sandia, SRI, MIT Lincoln Labs, and ArcSight. There were several slides of interest as well as the basis for the entire presentation that need to be addresse...

About how risk management works…and doesn’t work

ISA SP99 is working on the Part II standard. The current discussion is on risk. I am including my response looking for discussion on this subject. My premise is that traditional risk methodology (frequency * consequence) does not apply to control system cyber security.

IT Security Still Does Not Get It!

I’m frankly tired of people telling me there is no difference between IT enterprise security and plant level IT security. They can blow on and on about that for all they want, but they can’t prove it. I CAN prove my assertion. Here’s more proof.

The IT Security Glass Ceiling

I received an invitation from the Center for Strategic and International Studies (CSIS) to attend (not participate in) an event: “Improving Cybersecurity: Suggestions from Private Sector Experts”.  The panel chair and panel participants are all from the IT security community. We still haven’t broken thru the glass ceiling. Joe Weiss...

Process Control Safety System Hack

One of the highlights of the Applied Control Solutions August Control System Cyber Security Conference will be a demonstration of a cyber attack on a typical process control safety system. The attack will traverse a firewall faulting both a typical controller and safety system without an indication at the operator...

Some observations on the differences between enterprise and SCADA security

I posted this earlier on the new SCADASEC listserv and I thought it deserved a wider audience.... If what you are doing is SCADA security, instead of IT Enterprise security, I would like to offer two observations. The first is that SCADA security has a somewhat different purpose than enterprise security.

Why domain expertise isn’t important in cybersecurity—not.

I had a meeting with a vendor who is not a control system vendor but is working on control system security. Last year they participated in a webinar when the question was asked what control system cyber events have occurred.

Are you a black hat or a white hat– ACS’ conference timing gives you a choice

date is set for August 4-7 at the Marriott Burr Ridge Conference Center near Chicago. Since 2004, the Control System Cyber Security Workshop has been held in early August. The reason for the date was to avoid IEEE, ISA, PCSF, DCS and SCADA User group meetings which generally are...

More on the CIA announcement and culture issues

As noted in a previous blog, I was assured the CIA announcement on the overseas control system cyber attacks was indeed real. The announcement spawned an immense amount of smoke and/or fire- real or fear mongering - as there were essentially no details provided.