I was lamenting the state of the Industrial Control System Security recently with some friends. Things are very lopsided right now. In the beginning days of ICS Security concerns, there were a few hackers who had no idea what they were getting in to and a few very scared engineers were uncertain about what these […]
Category: General Topic
Diagramming ICS Security
In a blog post, Sarah Fluchs made a very important point: We have diagrams and abstractions for virtually everything in an industrial control system. But for some reason, we don’t do this for industrial control system network security. I think she has has pointed her finger on the pulse of the problem with industrial control […]
Do Not Write Directly to Outputs or Timers in a PLC
Another point I made in the S4x20 Presentation had to do with input validation in a PLC. If you have paired inputs, such as START and STOP, FORWARD and REVERSE, OPEN and CLOSE, etc… you should ensure that both inputs or both outputs are not asserted together. It is an important validation step to ensure […]
Handling Indirection Safely on a PLC
I’ve seen my share of indirection errors on a PLC. I developed the method I describe here because I was sick of seeing people scratching their heads, wondering where the weirdness came from. There are many reasons to use indirection, or the value of a register in another register. There may be a need for […]
Integrity Features of a Programmable Logic Controller
Introduction This blog post is an outgrowth of a topic I quickly waved my hand about at S4x20. Glenn Merrill reminded me that I hadn’t really followed up on it. It deals with the built in self integrity and diagnostics features found in most Programmable Logic Controller (PLC) gear. First and foremost, the PLC vendors […]
Coming on April 1st
Joe Weiss’ UNFETTERED blog is coming to the //SCADAS.EC website starting on April 1st.
Will the shields they tell us to raise defend against the Borg?
Have been following the warnings and advice currently given to enterprises on bolstering cyber and other defenses in the wake of the recent (January 2019) escalations of conflict between the US and Iran. In particular the warnings that focus on advising those who use “industrial control systems and operational technology”[1]. Technologies used to monitor and […]
Is there anyone out there patrolling the perimeter?
I am on several mailing lists and get news about ICS cybersecurity and bulletins. This past week I looked at another vulnerability bulletin characterized as “Exploitable remotely/low skill level to exploit” and that the exploit “could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system”. I looked further down and read […]
Lessons From the Tower of Babel
Preface and Notes I am an Engineer. This is a discussion about Engineering, not Religion, or even History. It contains references to texts having religious aspects; but those aspects are not the purpose of this discussion. If this offends you, either because it has a religious element, or because it is a secular viewpoint of […]
Virtualizing a PLC?
In the fourth season of the cartoon sitcom The Simpsons, there was an episode where the town was flim-flammed by a salesman pitching a Monorail for the town. Everyone saw it as a great idea, but nobody could say why. Marge Simpson had her doubts, and of course, she was right. It didn’t work out. […]