Submitted by Eric Byres on Tue, 2011-04-26 21:00
One of the mantras about good SCADA security is that it is primarily dependent on people and processes, not technology.
Thus if you have an ICS security problem, first look for solutions such as user training or better processes rather than technology solutions. This sounds good on the surface, but I’m not sure it’s true.
Performing tasks securely just isn’t part of human nature. Doing them the easiest way possible is. Unless the secure way is also the easy way, security will lose 9 times out of 10.
Submitted by Eric Byres on Wed, 2010-12-15 14:28
Last week Jason Holcomb at Digital Bond wrote a great article called “Everybody Knows Your Passwords” on the issues of default passwords. In it he talked about how some control system vendors continue to bury hidden “default” passwords in their system. As Stuxnet illustrated, these passwords can be later accessed by malware or hackers, making them the perfect backdoor into a company’s operations.
Submitted by Eric Byres on Tue, 2010-08-31 15:33
One of the best things about the whole Stuxnet worm fiasco is that it has brought one of the biggest security issues – the use and abuse of passwords – into focus. Currently most of the discussion has focused on Siemens’ unfortunate use of fixed default passwords in their products (for example, see Joe Weiss’ post on http://news.infracritical.com/pipermail/scadasec/2010-August/001756.html).
