10.11 Siemens
PLC Security Vulnerabilities – It Just Gets Worse - A new article by Eric
Byres has been posted on the Practical SCADA Security blog.Get seen by the people who use
your products!
THIS SPACE
can be yours
Digital Control Systems and their associated industrial networks/protocols are extending the depth to which bi-directional communications extend throughout an enterprise. In many cases, the underlying technology for the business network and the process control network are the same. Consequently, many of the risks that are found in today's corporate or business environments can now impact the reliable operation of the process control system. This page and the links highlight some of the vulnerabilities, their sources and remedies that the modern integrated control system needs to address.
The Following Technical Articles and White Papers are from Torfino Security
Securing Your OPC Classic Control System - Thomas Burke and Eric J. Byres - OPC Classic is a software interface technology used to facilitate the transfer of data between different industrial control systems. It is widely used to interconnect Human Machine Interface (HMI) workstations, data historians and other hosts on the control network with enterprise databases, Enterprise Resource Planning (ERP) systems and other business-oriented software. Unfortunately, securely deploying OPC Classic has proven to be a challenge. This white paper describes two independent techniques for ensuring strong security in systems using OPC Classic technology. This first creates zone-based defenses using OPC-aware firewalls. The second takes advantages of improvement in the Windows operating system to managing OPC accounts and permissions. Both security techniques are available and proven for use in today’s control systems.
10.11 Siemens
PLC Security Vulnerabilities – It Just Gets Worse - A new article by Eric
Byres has been posted on the Practical SCADA Security blog.
10.11 Insider
Threat to Utilities – More Focus Needed on Critical Components - Recently
the Unites States’ Department of Homeland Security (DHS) released a report on
“Insider Threat to Utilities” that has been getting a lot of attention in
the mainstream media. While released “For Official Use Only (FOUO)”, the report
has been posted on the Internet and portions of it have received
considerable media coverage.Unfortunately media coverage so far tends to focus
on the dramatic, such as the potential threat of Al-Qaeda attacks on the ten
year anniversary of 9/11, and don’t actually help utility owner operators
secure their systems. In this article Eric Byres share his thoughts on how
critical infrastructure operators need to extend the report’s recommendations
to include additional protective measures.
10.11New
SCADA Security Reality: Assume a Security Breach - This article highlights
that sometimes the "fortress" mentality on security does not work.
10.11Antivirus
Protection for PLCs – Not Enough on its Own - If any security expert
claims systems can be secured by just using antivirus products on the Windows
computers in a control system, they are crazy, irresponsible or both. Antivirus
(AV) technology helps protect the plant floor, but it is not enough on its own.
For the most part, AV software only works if you have a signature, which is
great for dealing with well known common malware like Conficker. Unfortunately,
there is no signature for a worm using a zero-day vulnerability. Stuxnet proved
that – it was in the wild for a year before there were any signatures
available. Antivirus software did not spot the worm for that year.
10.11SCADA
Cyber Security Problems – Just How Common are the Programming Errors? -
This interesting article by Rob Hulsebos has been posted on the Practical SCADA
Security blog - Find out how and why common programming errors still exist in
today’s SCADA systems.
10.11SCADA
Security and the Broken Business Model for Software Testing - David
Alexander - Recently Rob
Hulsebos wrote an article for this blog where he raised the perennial
problem of programming errors contributing to security vulnerability. I have a
newsflash for you - this isn’t new. It may be a new concept to some in the
world of Industrial Control Systems, but it’s been a problem for software
engineers since about 5 seconds after the first ever program successfully
compiled.
Securing Legacy Control Systems - Peter Welander - Very few of the process control platforms operating today were installed with any cyber security protection built in. Most predate wide deployment of the Internet. Can these systems be protected against today's threats?. Thanks to Control Engineering.
Maritime Security: Meeting Threats to the Offshore Oil and Gas Industry - This paper covers challenges faced by the oil & gas industry in securing its vital offshore production assets. It discusses key requirements for an effective platform security strategy, and describes the latest technology enabling an integrated security management system - from Honeywell.
The Can of Worms Is Open-Now What? - John Cusimano and Eric Byres - The recent Stuxnet worm that targeted Siemens HMI and PLC systems highlights the fact that designing a good cyber defense for your SCADA or process control system is no longer an option. While the motivations of the worm's designers are still not clear, the undisputable fact is that this worm was designed to let an outsider gain unauthorized access to control systems using the most widely deployed brand of PLC and SCADA products in the world. To their credit, Siemens and Microsoft responded rapidly to the Stuxnet threat, and provided a patch to address the vulnerability and a utility to detect and remove the virus. But everyone knows it's always better to prevent a threat than to react to one. So, how can you protect yourself from the next Stuxnet? From www.controlglobal.com
Cyber Security And The Pipeline Control System - Eric J. Byres - Sound strategy, regardless of whether it is for military, physical or cyber security, relies on the concept of “defense in depth.” Effective security is created by layering multiple security solutions so that if one is bypassed another will provide the defense. This means not overrelying on any single technology such as a firewall. Firewalls aren’t bad technology. In fact, they are a fantastic tool in the security toolbox. But, industry has misused them by believing they will solve all security - from Tofino Security.
Process Control System Security-Max Rockliff-Principal PCS Security Engineer-Plexal Group- This excellent 22 page white paper is a good starting place for anyone looking for information on Control system security.
Chemical Industry gets Serious about Security: Perfecting Programs, Educating Users - Ellen Fussell Policastro - This excellent article describes how the industry is sharing its knowledge about security and helping manufacturers build their fortresses, to not only comply with new government regulations, but to enhance the overall security of control systems throughout the industry - ISA and InTech
Video Surveillance -Thanks to Bristol Babcock.
SCADA Systems Deserve And Are Earning Central Security Role by Kevin Finnan, Bristol Babcock
Water Security by Kevin Finnan, Bristol Babcock
Automation,com's excellent Cybersecurity Portal
Arcweb.com's Cyber Security site.
Blackhat
Site http://blackhat.com
Department of Homeland Security http://www.dhs.gov
National Energy Resource Commission http://www.nerc.com
National
Institute of Standards Technology http://csrc.nist.gov/publications/nistpubs/index.html
United States General Accounting Office, “Critical Infrastructure Protection Challenges and Efforts to Secure Control Systems,” Report GAO-04-354, March 2004 GAO-04-354, CRITICAL INFRASTRUCTURE PROTECTION- Challenges and Efforts to Secure Control ...
Process Control Security Requirements Forum
Some super Security papers from primatech
Safety Considerations for SCADA/DCS Attacks by Jonathan Pollet Plant Data Technologies
A series of papers and presentations from Dale Peterson of Digital Bond
The Information systems Audit and Control association has more information on security.
National Institute of Standards publication “Protecting Industrial Networks from Cyber Attacks”