San Francisco and SCADA

Jake Brodsky brought up the following, "Do management and law enforcement types have any clue as to how one might regain control of a SCADA system after a rogue employee has secured everyone out of it?"

I had planned on saying something at the Conference next week but I will bring up now.

There are two aspects of the Terry Childs’ situation, the San Francisco IT Administrator who locked out his Department from the City WAN, that have interesting implications for SCADA/...

The major control system suppliers are claiming they provide tested secure DCS and SCADA systems.

To my knowledge, at least four major control system suppliers, in this case 3 DCS and one SCADA, are providing less security than advertized.

In one DCS case, the vendor told me how secure their system was and specifically identified one showcase utility. Unfortunately for them, I knew the utility and the utility engineer. The engineer was so disappointed in the vendor not listening to his needs h...

Bandolier: Is half way there good enough?

I want to specifically respond to Ralph Langer’s comments from my blog post on Severity Levels.

Ralph posted, “While I agree in general that severity cannot be established without context, experience tells me that such context can hardly be established by any kind of automated software tool. Even worse, many asset owners don't have any realistic idea, not to say methodology, of calculating the cost of potential cyber incidents. Wit...

We have a problem.  We have efforts at all levels to secure industrial
control systems, but there isn't much coordination.  Some efforts are
falling by the wayside.  The Roadmaps for energy and water are mostly
taking top-down approaches.  There are approaches in the middle such as
the ISA-99, and going further toward the technical side, Secure
Authentication for DNP and the AGA-12 effort.

However, I know of nearly nothing taking place at the bottom.  There are
training courses from DHS aimed a...

Where is the nuclear power community?

It has been a year since Congressmen Bennie Thompson and James Langevin sent a letter to Chairman Klein of the NRC with a series of questions related to the Browns Ferry 3 Nuclear Plant Broadcast Storm incident.

One of the questions was why the nuclear community was not working with the non-nuclear community since the non-nuclear community has much more experience with the same equipment than the nuclear community. 

That question is certainly pertinent on...

The Week (May 19-23) in Review

I thought Dale Peterson’s weekly review was a great idea so I have decided to do my own:

Two major events occurred on either side of the country the same day - Congressional hearings on cyber security of the grid and Connectivity Week (Smart Grid) in Santa Clara. The hearings were about the industry and NERC’s inadequate response to cyber security of the bulk electric grid (transmission and central station generation) while Connectivity Week was about the Smart G...

I just returned from participating on a panel session at Electric Power 2008 in Baltimore. Electric Power 2008 is focused on electric power generation (not transmission and distribution). Consequently, it was fascinating to hear what the generation attendees felt about security and the NERC CIPs as well as to see what the next generation of power generation technologies would look like with respect to cyber.

I thought there were three important points made during the panel session:

Why IT needs to keep its distance from control systems

Several actual events and tests have shed new light on why IT needs to understand the issues with control systems before things go uncontrollably wrong. That is, control systems (Operations) coordination and leadership is absolutely required before those networks are touched in any direct or indirect manner. Additionally, it is also important for IT to recognize that control system cyber vulnerabilities can be different than IT cyber vulner...

Today, we received a press release from a security company, announcing that they had found a vulnerability in a piece of third-party software. We often get these. I'm not naming names.

What we DON'T get, however, is the context. Such and such a vulnerability was found in such and such a software application. And so? And we didn't get that context in this case either.

Industrial cybersecurity is based on risk analysis...and the security company did its customers a disservice in not explaining w...