100,000 Vulnerabilities

(This article was originally published on the Digital Bond blog.)

The popular press cites an “alarming” statistic from time to time – the “dramatic” increase in cyber-security vulnerabilities being reported in industrial control system components. 129 were reported in 2011, vs only 15 in 2010 and 14 in 2009. Those of us in the industry of course groan when we read nonsense like this. We know the truth to be rather more “dramatic.”

How bad is SCADA security really? Let’s do the math.


ICS and SCADA Security Myth: Protection by Firewalls

(This article was originally published in the June, 2012 ICSJWG Quarterly Newsletter.)

In this article I am going to talk about a fairy tale. This tale doesn’t have princes or frogs in it, but instead it deals with SCADA and industrial control system security. The existence of a “firewall” between control system networks and the rest of the world has been one of the most enduring fairy tales in the field of SCADA/ICS security. The idea is that, in a properly designed system, there is a logical barrier between the control network and the business network. Since unauthorized information cannot cross such a firewall, bad things like hackers and worms can never get into critical control systems. From this, a corollary flows:


Project Basecamp: Tempest in a Teapot

I have been thinking about the DHS ICSJWG Spring Conference of a week ago, and the 2-hour debate at the conference on device security and the Digital Bond "Project Basecamp" project that was announced at January's S4 conference. The debate showed there is still resistance to device authentication, but among end users more so than among vendors. I think Jonathan Pollet's comments about this debate echoing the 1990's IT encryption debate are on the mark. That said though, I still think it will take a long time before device authentication becomes commonplace.