April 2011

SCADA Security Requires Software Security Assurance

Submitted by John Cusimano on Tue, 2011-04-05 11:18

The publication of numerous SCADA vulnerabilities by L. Auriemma last month, on top of the game-changing Stuxnet malware revealed last year, has exposed many security weaknesses in Industrial Control Systems (ICS). The weaknesses occur on two fronts: technology and human factors.

OPC Security: More than the Sum of the Parts (plus White Paper)

Submitted by Eric Byres on Tue, 2011-04-12 21:00

When you hear the words “defense–in-depth” do you immediately think of layers of firewalls?

If so, you are not alone – most of us immediately think of security concepts in traditional physical security terms.  For example, we imagine “more defense” as being more moats and castle walls around the crown jewels.  But that is not the only way (or even the best way) to create secure ICS or SCADA systems.

SCADA Security Hack at FPL Wind Turbine - Hoax or Real?

Submitted by Eric Byres on Mon, 2011-04-18 11:08

At approximately 11:00 a.m. EDT last Saturday morning (April 16, 2011), The Repository for Industrial Security Incidents (RISI) received the following email:

Subject: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

The Secret to Easy and Effective SCADA Security (plus White Paper)

Submitted by Eric Byres on Tue, 2011-04-19 21:00

How can I reliably and easily secure my control system?

A lot of people are re-examining this question and giving it higher priority after learning about Stuxnet and the recent publishing of SCADA system vulnerabilities on the Internet.  It is no longer possible to believe that ‘air gaps’ between your systems and the rest of the world, or that ‘security by obscurity’ are effective security strategies.

Simpler SCADA Security Beats More User Training

Submitted by Eric Byres on Tue, 2011-04-26 21:00

One of the mantras about good SCADA security is that it is primarily dependent on people and processes, not technology.

Thus if you have an ICS security problem, first look for solutions such as user training or better processes rather than  technology solutions.  This sounds good on the surface, but I’m not sure it’s true.

Performing tasks securely just isn’t part of human nature. Doing them the easiest way possible is. Unless the secure way is also the easy way, security will lose 9 times out of 10.