In their Water and Wastewater Systems Security Recommendations, CISA touched on a subject that I rarely ever see anywhere: Before working on security, it helps to make the automation and the process more resilient. Even more important, the automation should actively refuse certain toxic moves. Yes, CISA was recommending that all Automation be made safer. […]
Category: General Topic
SCADA Apologists?
I really wish things were as simple as Dale Peterson makes them out to be. I’m not an apologist for the security situation among industrial control systems. But if all we had to do is lift a pen and sign off a few dozen checks, the security issue would have been done and gone already. […]
SCADASEC blog website is now secure
Our web site before was not completely secured, and we used self-signing certificates as an interim measure to ensure that the site was secure. Since we are not conducting e-commerce of any kind, the need for über super-secret security wasn’t necessary. Our choice was to use a more cost-effective CA provider called ‘Comodo’. Widely used […]
A new “14 Points” for the security of critical infrastructure in cyberspace
“All the peoples of the world are in effect partners in this interest, and for our own part we see very clearly that unless justice be done to others it will not be done to us.” – Woodrow Wilson, 1918 It was a 102 years ago that U.S. President Woodrow Wilson made his peace proposals […]
Unsettling trends in cyberspace: 2010-2020
“Nine for Mortal Men, doomed to die,One for the Dark Lord on his dark throneIn the Land of Mordor where the Shadows lie.One Ring to rule them all, One Ring to find them,One Ring to bring them all and in the darkness bind them.In the Land of Mordor where the Shadows lie.” – J.R.R. Tolkien, […]
OT v. ICS Survey
Out of 113 votes, the following percentages are broken in 4 components: OT and ICS are the same 8% OT and ICS are different 16% OT is a sub-component of ICS 9% ICS is a sub component of OT 67% This survey was conducted sometime mid-November, 2020
The SolarWinds hack can directly affect control systems
A highly sophisticated Russian Intelligence group has compromised the SolarWinds Orion platform which has an estimated 18,000 customers and an unknown but vast number of sites. The SolarWinds advisories and webinars have focused on the IT networks, network visibility, and data exfiltration/compromise. However, SolarWinds is also used to directly monitor and CONTROL SNMP devices including […]
Lack of IoT HVAC control system cyber security and potential real-world impacts
A new IoT valve/actuator from a major HVAC equipment supplier has not only no device security. A further look at the supplier’s catalog shows additional products that communicate using common building insecure communication protocols such as BACnet and Modbus. The ability to remotely control these valves/actuators allows for unauthorized control of a building’s environmental control […]
The Chinese hardware backdoors can cause transformer failures through the load tap changers
As I was reviewing my blogs for a paper I was preparing, I found a nuclear power plant incident involving a station auxiliary transformer load tap changer (LTC) failure. Substation transformers have been acknowledged as the Achilles heel of the electric industry. As a result, the 2015 FAST (Fixing America’s Surface Transportation) Act contained a […]
Need for an operational cyber capacity before promptly and effectively acting on threat intelligence
“The pump don’t work cause the vandals took the handles[1]” – Bob Dylan, Subterranean Homesick Blues. “Threat intel” and the vendors who are eagerly trying to offer it are very much in our cybersecurity information space. It sounds like a good idea. One gets a tip that something is about to target your operations next […]