2018-03-28

Total Meltdown

The Meltdown / Spectre saga continues. Ulf Frisk just posted a description of a vulnerability he has coined “Total Meltdown”. It seems that Microsoft developers introduced an even worse vulnerability while fixing the Meltdown vulnerability in Windows 7 and Windows 2008 Server R2. With this broken Meltdown “fix” installed, any program can read or write any word in any other program’s memory, or the kernel’s memory for that matter, just by reaching out and touching – no special tricks required. The cure is worse than the disease.

2018-01-05

Protecting Industrial Control Systems from Spectre and Meltdown

The big news today is the Spectre and Meltdown bugs. These vulnerabilities let attack code such as Javascript steal passwords, encryption keys and session cookies from kernel memory and/or browser windows on nearly all modern computers. The performance hits and code changes needed to fix these bugs are extensive. A LOT of costly testing will be needed in the very short term before fixes for Meltdown and Spectre can safely be applied to our ICS/OT/SCADA networks. The only bright spot in this situation is that as usual, Waterfall customers are taking these developments in stride. Properly-designed ICS security programs make it practically impossible for any attack code to reach vulnerable systems. Outside of this community, Spectre and Meltdown will be a major problem.

2016-12-31

Control Is Not Data

(First published in the DHS ICSJWG Dec/2016 Newsletter as Control Is Not Data.)

IT gurus tell us that control system security is essentially the same as IT security, and that both are about "protecting the data." The gurus tell us that, yes, there are two kinds of "data" in control systems - monitoring data and control data - but "data is data." They tell us that all we need to do is protect the CIA, or AIC, or IAC, or something, of the data and we're done - we're secure.

They are wrong.

2016-11-13

SCADA Security Site Launched

www.scada-security.ca is live. The site is focused on approaches to modern SCADA Security education. One of the things I'm doing at Waterfall Security Solutions, is working with a couple of different universities to add SCADA security content to their undergraduate and graduate programs. As those efforts bear fruit, I will be posting pointers here to different sorts of course content.

SCADA Security Published

My book SCADA Security - What's broken and how to fix it is live on Amazon in soft-cover and Kindle formats. The book's launch was the Waterfall/TDi mingle at the ICSJWG last month, with copies available for all ICSJWG attendees complements of Waterfall Security Solutions.

Protecting Critical Infrastructure Published

Cyber-Physical Security - Protecting Critical Infrastructure at the State and Local Level was published recently. I contributed chapter 4 "Cyber Perimeters for Critical Infrastructures." Essential to modern thinking about control system network perimeters is the concept of "trust," "criticality," or "impact" - different authors use different words for the concept.

2012-09-06

100,000 Vulnerabilities

(This article was originally published on the Digital Bond blog.)

The popular press cites an “alarming” statistic from time to time – the “dramatic” increase in cyber-security vulnerabilities being reported in industrial control system components. 129 were reported in 2011, vs only 15 in 2010 and 14 in 2009. Those of us in the industry of course groan when we read nonsense like this. We know the truth to be rather more “dramatic.”

How bad is SCADA security really? Let’s do the math.