2016-11-13

SCADA Security Site Launched

www.scada-security.ca is live. The site is focused on approaches to modern SCADA Security education. One of the things I'm doing at Waterfall Security Solutions, is working with a couple of different universities to add SCADA security content to their undergraduate and graduate programs. As those efforts bear fruit, I will be posting pointers here to different sorts of course content.

SCADA Security Published

My book SCADA Security - What's broken and how to fix it is live on Amazon in soft-cover and Kindle formats. The book's launch was the Waterfall/TDi mingle at the ICSJWG last month, with copies available for all ICSJWG attendees complements of Waterfall Security Solutions.

Protecting Critical Infrastructure Published

Cyber-Physical Security - Protecting Critical Infrastructure at the State and Local Level was published recently. I contributed chapter 4 "Cyber Perimeters for Critical Infrastructures." Essential to modern thinking about control system network perimeters is the concept of "trust," "criticality," or "impact" - different authors use different words for the concept.

2012-09-06

100,000 Vulnerabilities

(This article was originally published on the Digital Bond blog.)

The popular press cites an “alarming” statistic from time to time – the “dramatic” increase in cyber-security vulnerabilities being reported in industrial control system components. 129 were reported in 2011, vs only 15 in 2010 and 14 in 2009. Those of us in the industry of course groan when we read nonsense like this. We know the truth to be rather more “dramatic.”

How bad is SCADA security really? Let’s do the math.

2012-06-29

ICS and SCADA Security Myth: Protection by Firewalls

(This article was originally published in the June, 2012 ICSJWG Quarterly Newsletter.)

In this article I am going to talk about a fairy tale. This tale doesn’t have princes or frogs in it, but instead it deals with SCADA and industrial control system security. The existence of a “firewall” between control system networks and the rest of the world has been one of the most enduring fairy tales in the field of SCADA/ICS security. The idea is that, in a properly designed system, there is a logical barrier between the control network and the business network. Since unauthorized information cannot cross such a firewall, bad things like hackers and worms can never get into critical control systems. From this, a corollary flows:

2012-05-20

Project Basecamp: Tempest in a Teapot

I have been thinking about the DHS ICSJWG Spring Conference of a week ago, and the 2-hour debate at the conference on device security and the Digital Bond "Project Basecamp" project that was announced at January's S4 conference. The debate showed there is still resistance to device authentication, but among end users more so than among vendors. I think Jonathan Pollet's comments about this debate echoing the 1990's IT encryption debate are on the mark. That said though, I still think it will take a long time before device authentication becomes commonplace.

2011-07-19

Air Gaps Dead, Network Isolation Making a Comeback

(This article was originally published on the Digital Bond blog.)

Eric Byres recent post claiming the #1 ICS and SCADA Security Myth is protection by air gaps struck a cord with me. I have been thoroughly distracted of late with my new role at Waterfall Security Solutions but even so I could not let this one go by. Old-school air gaps are still used occasionally, in the most sensitive control systems. The rest of the time, technologies like data diodes or unidirectional gateways provide the the most important benefits of truly air gapped control systems, while still permitting businesses to profit from access to the real-time data produced by their control systems.