Vulnerabilities Not News to Experts

(This article was originally published on the Findings From the Field blog.)

Last week's announcement by Luigi Auriemma of 35 unpatched ICS vulnerabilities is no surprise to SCADA/ICS experts. If anything, the surprise in the list of vulnerabilities is that all of them were implementation flaws rather than the more serious design flaws evident in many products. Most industrial sites maintain that their hardened perimeters are doing a good job of protecting the "soft interior" of their control systems. They are mistaken.

There are enormous numbers of unpatched security vulnerabilities in control system software - most undiscovered and un-announced. Thus far few people are looking for ICS vulnerabilities - there is little profit in finding them. Many who find vulnerabilities use the Coordinated Disclosure process, but there is a large population of skillful investigators who believe strongly in Full Disclosure. Expect a steady dribble of these vulnerability announcements - indefinitely.


Inside-Out Pen-Testing Still Rare

(This article was originally published on the Findings From the Field blog.)

Industrial Defender's penetration testers report that they see "inside-out" penetration testing engagements only rarely. In such engagements, the tester starts from some point on the operations network and attempts to compromise equipment on the enterprise network. More conventional "outside-in" attacks do represent a greater risk to most enterprises, but "inside-out" tests really should be carried out more frequently than they are now.


Advanced Threats and Smart Grid Standards

(This article was originally published on the Findings From the Field blog.)

At the recent Smart Grid Security East conference, I had opportunity to ask two standards gurus about advanced threats and existing security standards. I asked if they felt the evidence to date of advanced threats to control systems warranted changes in security standards. The answer was a qualified "no" from both...


Smart Grid Safety vs Confidentiality

(This article was originally published on the Findings From the Field blog.)

I just returned from Smart Grid Security East. The event featured an impressive set of high-powered government and regulatory speakers and a fair number of vendors as well. Surprisingly, I found the "NERC-CIP Compliance" workshop very useful -- in addition to the usual introductory information, there was insightful discussion between a number of security consultants and former NERC auditors as to how this word or that phrase are being interpreted during audits. The event also crystallized for me an understanding of why I have found the AMI/smart meter security space so confusing for the last little while: IT folks see smart meters as billing appliances. ICS folks, like me, see them as control devices. Security requirements for the two classes of devices are very different. Thus far, the IT interpretation is winning...