-
Monday, February 16, 2009
The not so smart “Smart Grid” - Addendum
There has been a lot of traffic in the blogsphere about Smart Grid security. In the real world, working groups are being formed, standards are being written, and there are many activities by the GridWise Architecture Council (http://www.gridwiseac.org/), NIST (http://www.nist.gov/smartgrid/) and a host of people that truly get it when it comes to security. I think all of this work is absolutely needed and there are a lot of very smart people working on those groups/standards and they are doing a great job.
However…
We are not just talking about the designed-in functionality of all these ...
Read full story
-
Monday, February 09, 2009
Chasing the 0Day Threat
The topic of 0Day Threat or 0Day vulnerabilities certainly get a lot of press. And this is probably for good reason. The common notion is that the 0Day vulnerabilities are the ones that can cause the most harm because they are the ones you’re not prepared for. The industry has matured significantly from the days (and yes, I can actually remember those days) when hackers demonstrated their skill for bragging rights. These days, we’ve got sophisticated markets where vulnerabilities are bought and sold and I am sure it does not surprise anybody reading this that there is also a lucrative ...
Read full story
-
Wednesday, February 04, 2009
Common Vulnerabilities & Exposures (CVE) For The Rest Of Us
As of today, the Common Vulnerabilities and Exposures (CVE) database, hosted by Mitre Corporation (http://cve.mitre.org/) for the Department of Homeland Security (DHS), contains 34,542 entries. That may not seem like a large number, but any one of those entries can translate to multiple instances in the field. While the contents of this database are very important in the IT world to help security practitioners ply their trade, build rule sets, etc., there is a glaring lack of information on industrial control systems (ICS).
A search of the CVE database using “SCADA” or “DCS” or “PLC” as a search ...
Read full story
-
Sunday, September 07, 2008
On Vulnerability Disclosure
This year’s PCSF saw many productive discussions on the topic of responsible vulnerability disclosure (big hat tip to Zach and Mike who managed to keep the conversations from reducing to a bun fight). I want to take a moment to further detail a few of my own opinions on this subject matter.
Let me begin with a somewhat pragmatic definition of device vulnerabilities: Device Vulnerabilities (I wonder if this is where Tipping Point’s DVlabs name stemmed from) can be thought of as software, hardware, or requirements artifacts that may be utilized to violate the explicit or implied operational characteristics of ...
Read full story
-
Thursday, June 26, 2008
Vulnerability Disclosure - What is the Right Answer?
While this story is getting a bit dated, the timing for my article now is intentional. As you may have seen recently, CORE Security released a cyber vulnerability notification for a problem found by one of it’s analysts in a CITECT product, http://www.coresecurity.com/?action=item&id=2186.
This leads us to question whether or not vulnerability disclosure is the right thing to do or not for the SCADA and process control industry. Of course this question comes up time and again for us here at Wurldtech as well. Hardly a day goes by that a vendor or asset owner asks us if we ...
Read full story