I remember participating in a work group composed of national representatives tasked with coming up with norms for confidence and security building measures (CSBM) for states to follow in cyberspace. This was quite exciting to be a part of at first, but the discussions slowed down when a representative of a cyber-superpower raised the issue of […]
The goal of Zero Trust is getting data securely across network, storage, and computing infrastructure you may not trust. The message is usually between two software entities that are trusted with human beings behind them. But that’s not what happens in an Industrial Control System, such as a DCS or a PLC based plant system. […]
There may be a few people who are puzzled by why I referred to PLC Security as “security.” And this brings me to an often forgotten part of the AIC security triad. Yes, there is Availability. There is Confidentiality. You tend to see a lot of discussion about the former among ICS security people. You […]
I recently watched a webinar on industrial control system security[1] and asked a question during the Q and A. My question was „Could you also have an engineer’s SOC rather than an IT/OT SOC?“. My motive for asking this question was based on my understanding that the tradition enterprise SOC is IT oriented (office LAN/WAN, […]
I was lamenting the state of the Industrial Control System Security recently with some friends. Things are very lopsided right now. In the beginning days of ICS Security concerns, there were a few hackers who had no idea what they were getting in to and a few very scared engineers were uncertain about what these […]
In a blog post, Sarah Fluchs made a very important point: We have diagrams and abstractions for virtually everything in an industrial control system. But for some reason, we don’t do this for industrial control system network security. I think she has has pointed her finger on the pulse of the problem with industrial control […]
Another point I made in the S4x20 Presentation had to do with input validation in a PLC. If you have paired inputs, such as START and STOP, FORWARD and REVERSE, OPEN and CLOSE, etc… you should ensure that both inputs or both outputs are not asserted together. It is an important validation step to ensure […]
I’ve seen my share of indirection errors on a PLC. I developed the method I describe here because I was sick of seeing people scratching their heads, wondering where the weirdness came from. There are many reasons to use indirection, or the value of a register in another register. There may be a need for […]
Introduction This blog post is an outgrowth of a topic I quickly waved my hand about at S4x20. Glenn Merrill reminded me that I hadn’t really followed up on it. It deals with the built in self integrity and diagnostics features found in most Programmable Logic Controller (PLC) gear. First and foremost, the PLC vendors […]
Joe Weiss’ UNFETTERED blog is coming to the //SCADAS.EC website starting on April 1st.
