From: Digital Bond’s SCADA Security Portal – Friday News & Notes

Posted on 2012/10/22


a quick re-post from Digital Bond's SCADA Security Portal http://www.digitalbond.com/2012/10/19/friday-news-notes-50/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+digitalbond%2FoLPM+%28Digital+Bond%29

Friday News & Notes by Dale Peterson

ICS Security NewsREMINDER – S4 General Registration Opens on October 24th. See The Agenda Here.

Kaspersky’s announcement of a new secure SCADA OS was the buzz story of the week. It’s an ambitious effort with low likelihood of impact on SCADA and DCS for a variety of reasons. I do like the discussion of reducing the attack surface and would recommend vendors look at supporting Microsoft’s Server Core. A few ICS vendors support installations on Server Core. (DP Note – while I think Kaspersky’s attempt is a long shot, so is Project Basecamp. Nothing wrong with taking a shot if you believe in it and think it’s important … and the next Basecamp release comes out Thursday morning)

A significant number and variety of Siemens PLC modules have received Achilles Level 2 certification. This means the modules survived quite rigorous fuzz testing; they are unlikely to go down when scanned or when spurious network traffic gets on the network. It means they are less fragile, but they are still insecure by design. An interesting note on this is Wurldtech named Siemens CERT as an accredited Achilles test facility so these were self certifications.

In other Wurldtech certification news, Yokogawa received the Achilles Practices Certification which covers the overall vendor security development lifecycle. This certification was an outgrowth of Wurldtech’s close relationship with Shell and a derivative of this has been submitted to IEC for consideration as a draft standard.

Rita Wells of INL has been appointed to the 15-member DHS Advisory Council Task Force on Cyberskills. Other members are listed in Appendix B of this link (pdf).

If you want more viewpoints on cybersecurity legislation and USG necessary activity check out the NY Times Room For Debate page. Mike Assante is included to represent the control system space.

A new book is out – Safeguarding Infrastructure Assets from Cyber-terrorism: Measuring and Protecting SCADA systems from Cyber-terrorists in Australia. I’m hesitant to spend $111 and time until we see a few credible reviews. Do any Australian readers know the author and his experience in this area?

Computerworld covers the growing medical systems hacking story with Barnaby Jack of ioActive demonstrated he could cause a pacemaker to deliver a deadly 830 volt jolt from 50 feet away. From the article — “the flaw lies with the programming of the wireless transmitters used to give instructions to pacemakers and implantable cardioverter-defibrillators (ICDs), which detect irregular heart contractions and deliver an electric shock to avert a heart attack.”

Tweet of the Week

@joshcorman hope my competitors are considering wasting resources preparing to hack back instead of, dunno, patching their systems for once

@secolive

Olivier Saudan

Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.


Worth Reading Articles

Empty

Critical Intelligence’s ICS Security Event Calendar Updates

  • EnergySec’s NERC CIP Compliance Training, Dec 4 in Sacramento, California
  • Cyber Security and Information Intelligence Research Workshop (CSIIR), Jan 8-10 in Oak Ridge, Tennessee

Critical Intelligence provides reports and other information products on  Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Image by mcalamelli

Posted in: reading