2010 ICSJWG Fall Conference

(This article was first published on the Digital Bond blog.)

Here are what I thought were the highlights of the DHS ICSJWG fall conference, in addition the opportunity to talk to many ICS security experts:
  • The Tuesday afternoon Stuxnet sessions – excellent presentations from ICS-CERT, Microsoft, Siemens and Industrial Defender. There was not much new in the presentations, but they did a great job of pulling together everything that was published in many different places over the last several months. 


Failures of Common Wisdom

(This article was first published on the Digital Bond blog.)

In preparing a paper on what steps sites can take to protect against sophisticated threats like the Stuxnet worm, it occurred to me that I had not recommended any of the steps that enterprise IT people consider “common wisdom.” I did not recommend these measures because they would have made little difference to the progress of the Stuxnet worm during the six months or so – January through July of 2010 – that the mature version of the worm circulated without detection.


SSL vs IPSEC Virtual Private Networks

Remote Site and Equipment magazine just published an article I submitted while I was still at Industrial Defender. The article contrasts IPSEC with SSL virtual private networks, and explores how well each meets the needs of providing access to remote sites like substations, pumping stations and compressor stations. The article also touches on a security problem endemic to "web-proxy SSL VPNs" and explains when and why to avoid that one variant of SSL VPN technology.


Security Basics: Network Intrusion Detection Systems

I am working on an updated whitepaper on the Stuxnet worm, and am asking myself how regulations like NERC-CIP and the DHS Risk-Based Performance Standards Guidance for CFATS can be strengthened to address threats like Stuxnet. One conclusion I'm reaching is that neither regulation requires much in the way of intrusion detection. Yes, they require logging of unsuccessful access attempts in a number of contexts, but this really is a poor substitute for an intrusion detection system (IDS). Ideally, an IDS tells you when an adversary has succeeded in compromising host or network protections. Defense-in-depth is predicated on alternating layers of both protection and detection, so that as an adversary works deeper into your systems, an alarm is raised. Detection raises the alarm, protection layers slow down the adversary, buying you time to shut down the attack.


Symantec Stuxnet Dossier

Symantec has published their long-awaited W32.Stuxnet Dossier. The dossier details high-level topics already introduced in the Stuxnet thread in the Symantec blog, and provides a couple of surprises as well.


Welcome to Control System Security

Hello everyone, and welcome to the Control System Security blog. My focus here is industrial control system security news, technologies, practices and experience. My hope is to post information and experience which helps owners and operators improve the security of their facilities. I will also provide coverage of news, attacks, standards developments and other topics which can be essential background for improving technologies and programs.

The blog may seem to be "picking up in the middle of a conversation." That's because I was the principle contributor to the Findings from the Field blog while I was at Industrial Defender. If you would like some of the background posts leading up to where I'm starting here, you may want to check out my postings ending in September 2010 in Findings from the FIeld.

I welcome comments, even dissenting ones. If you have a specific security issue you would like to discuss, but not in public, please feel free to send me mail or give me a call. I am always grateful for an opportunity to understand specific issues that sites are having.