2012 - Good Progress for Cybersecurity and Functional Safety

Thursday, December 20, 2012

Viewed 1027 times

I think it is wise for individuals to periodically review things. I like to do my professional review at the end of the year. 2012 was a good year.

Product Certification

Over 60 new products received functional safety or cybersecurity certification this year. Those products and more can be found on our Safety Automation Element List. Most significant to me are the new product categories including:

• Microprocessors
• Integrated circuits
• Middleware packages
• Complete safety systems

Many new manufacturers are using exida as their functional safety Certification Body. Even manufacturers who have an older certificate from another agency have come to exida for FMEDA analysis or new certificates.

exida Certification has expanded its scope…

Continue Reading >>

Control System Security • Functional Safety Certification • (0) Comments • Permalink

Industrial Control System Cyber Security – Legislation and Standards

Tuesday, October 30, 2012

Viewed 1083 times

There is a lot of concern around cyber security in Industrial Control Systems.  With new threats like Stuxnet and Flame, the perceived risk to critical infrastructure has increased dramatically.  There are increased calls for legislation and new methods for dealing with these threats.  The history of how we have dealt with similar risk issues around process safety tells us that there are two ways to address the issues with very different results.  On the one hand, there is a prescriptive approach where you define the remediation that should be required.  This approach might work in very well-defined systems where there is very little change in technology.

The other approach is to define functional requirements and set performance standards that…

Continue Reading >>

Control System Security • (0) Comments • Permalink

Pen Testing a Live Control System – Are You Mad?

Tuesday, October 16, 2012

Viewed 1130 times

A recent, disturbing trend I’ve seen in industrial control system (ICS) security is that, in response to concerns about the security of their ICS & SCADA systems, companies are performing penetration (pen) testing on operational systems.  Often times they request these services as one of the first steps in their plans to improve ICS security. 

Pen testing, as the name implies, is intrusive testing whereby the tester behaves like an attacker and attempts to penetrate the system.  This often means the tester will deliberately send probe packets or malformed packets on the network.  Pen testing is common practice in IT security as a means to testing the effectiveness of the security controls (e.g. firewall, intrusion detection, etc.) that have…

Continue Reading >>

Control System Security • (0) Comments • Permalink

A False Sense of Security

Thursday, June 21, 2012

Viewed 1465 times

About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal.  Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people.  I could also see two huge LNG storage tanks that, I was told, had the hazard potential to form a vapor cloud that could cover the harbor and, under the right conditions, could burn and explode. 

I was brought to the facility by a control system integrator who had been working onsite and had concerns about the cyber security of the control and safety systems and the potential risk that it represented.  They wanted me to discuss options…

Continue Reading >>

Control System Security • (0) Comments • Permalink

(Almost) FREE Security Training

Thursday, June 07, 2012

Viewed 1387 times

The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings are filled with presentations by industry experts on cyber security for ICS. The meeting format can vary somewhat but usually includes several tracks of presentations that cater to the interest of the attendees. There is also one day set aside for cyber security training for either a beginner or intermediate level. One of the best things about these conferences … they are FREE to attend. You only have to pay your travel…

Continue Reading >>

Control System Security • (0) Comments • Permalink

“Building Security In”

Thursday, May 24, 2012

Viewed 986 times

Cyber Security continues to be a big problem for the world at large and for control systems specifically.  The amount of time and effort that it can take to simply keep all of the security patches up to date on a large control system can be mind boggling.  No matter how up-to-date the security patches are, however, and no matter how well the network was designed, there will still be security vulnerabilities in the system.  Why is this?  This is because of the large number of security vulnerabilities in the underlying software used throughout the system. 

At the time when most of today’s control systems were developed, the software engineers were not aware of the root causes of security…

Continue Reading >>

Control System Security • (0) Comments • Permalink

Outrage! Panic! Indifference?

Thursday, February 09, 2012

Viewed 1541 times

How should you react to news of PLC security vulnerabilities? 

Project Basecamp was an exercise conducted at the S4 Security Conference that was held last month in Miami, Florida.  At the event, six security researchers reported their findings on the security vulnerabilities found after testing several PLCs and field devices from several companies.  With relative ease, the security researchers were able to discover, verify and in many cases exploit basic security vulnerabilities such as backdoors, weak or no authentication, buffer overflows, etc. 

Dale Peterson of Digital Bond, the organizer of the event, recently blogged asking, “Where is the outrage?” Dale had expected industry to…

Continue Reading >>

Control System Security • (0) Comments • Permalink

Keeping “Dancing Monkeys” out of your PLC

Wednesday, August 10, 2011

Viewed 4628 times

Last week a security researcher, Dillon Beresford of NSS Labs, presented at the Blackhat conference on the security vulnerabilities he found in Siemens PLC firmware.  One of many stories on Dillon’s findings can be found here.  Among other things, Dillon found “dancing monkeys” in the code!  Actually, what he found was this graphic of four dancing monkeys inserted in the firmware as an “Easter Egg” - meaning it was intentionally put there by a developer as a joke.  Easter Eggs are cute in websites and video games but not in software that is operating critical infrastructure.  This finding raises concerns about Siemens software quality assurance practices.  While this prank is most likely harmless, imagine, for…

Continue Reading >>

Control System Security • (0) Comments • Permalink

Industrial automation is in the cross hairs of the hacker

Wednesday, June 01, 2011

Viewed 2123 times

As the details of STUXNET’s design unfolded last fall, like many, I was truly impressed by the pin-point precision that the malware authors used to ensure that their target, and only their target, was impacted by the virus.  In this regard, STUXNET may be one of the most responsible piece of malware ever written, because it was carefully designed to avoid any collateral damage. 

However, one of the unexpected outcomes of STUXNET is the extent to which it has aroused the “security researcher” community and has turned their attention from commercial IT products to industrial automation and control systems.  While their motives vary, from seeking recognition and monetary gain to intending to cause harm, the end…

Continue Reading >>

Control System Security • (0) Comments • Permalink

The Real Impact of Stuxnet

Tuesday, March 15, 2011

Viewed 7090 times

Stuxnet has, rightly, generated a significant amount of discussion and concern with the industrial automation community.  Fortunately, unless you operate a uranium enrichment facility using Siemens S7 PLC’s and some very specific variable frequency drives (VFDs) you probably haven’t been directly impacted by the Stuxnet virus.  However, that doesn’t lessen the concern that variants of Stuxnet or “the next Stuxnet” will not be as targeted and may impact a much broader range of industrial applications. 

So, in my opinion the “real” impact of Stuxnet is that it has opened the eyes of many who were either unaware of the dangers of control system insecurity or those that were aware but dismissed the issue as unrealistic.  Ironically, this…

Continue Reading >>

Control System Security • (0) Comments • Permalink