-
Tuesday, December 18, 2007
Back To Basics: Testing Industrial Control Systems 101
Industry has thrown down the gauntlet to vendors and suppliers of security testing solutions: Testing the network stack or communications protocols is insufficient to ensure safe and reliable operations of industrial components. While plenty of testing tools exist out there today, vendors and asset owners are showing us that you can’t simply tell me that the network stack is up or down. We need to know what jeopardizes uptime and most importantly, safety. A testing methodology that does not reveal the Failure on Demand calculations and provide a reasonable model of failure modes, predictability of failures, and provide accurate feedback ...
Read full story
-
Tuesday, December 11, 2007
Taking the Next Step Towards Controller Certification
Simply stated, all electronic components are subject to failure. The question is how resilient should we make these components to sustain temporary network fluctuations or security events? The ever-present challenge to an engineer is to keep the process up and running when it supposed to be, and to keep it safe. Knowing the failure modes of controllers, understanding design constraints such as network load and capacity, and understanding the other electronic factors that could impact the uptime of a process gives any engineer a keen advantage in performing their jobs. But with enough on their plates already, should this type ...
Read full story
-
Wednesday, December 05, 2007
Facing Down the Biggest Challenge to Security: Justifying Spending
Finding someone to say that security doesn’t matter is a challenge. Those few that actually still remain in the dark today haven’t knowingly experienced a security problem or have either been living under a technological rock or simply do not understand the whole scope of what security challenges exist. While most would say that security is a problem and they want to protect our assets, businesses, and infrastructure, taking the next step is often hindered by the questions of “what to do” and “who will pay for it?”.
Luckily, “what to do” is becoming much clearer in automation environments. Standards ...
Read full story
-
Tuesday, November 27, 2007
Bryan Singer’s First Month at Wurldtech
It certainly is an interesting time to be in industrial security. This year we’ve seen exploits published for OPC, vulnerability signatures made public, an increase in scans against known control protocol ports, and the rise of a number of new security standards and regulatory requirements. Now nearly every major vendor is offering industrial security services as well, and a number of companies have started in this space. The question is, “what does this mean for industrial automation and critical infrastructure?”
Clearly, there is a need. I have never been to a customer site that told me that they have NOT ...
Read full story
-
Wednesday, June 06, 2007
Addressing Canada’s REAL Threat to Critical Infrastructure
Tyler Williams
Special to the Sun
Tuesday, June 05, 2007
The federal government’s plans to roll out a national strategy this summer to protect “critical infrastructure” systems such as oil and gas pipelines, power plants, telecommunications networks, water supplies and banking from attacks either by hackers or terrorists highlight a growing security issue in our country.
While the threat of attack by suicide bombers requires physical transportation to the pipeline or power plant here in Canada (and so may be less imminent), the cyber-security threat to these infrastructure systems is urgent because it can be mounted via the Internet from ...
Read full story
-
Monday, May 28, 2007
Ethernet PLC and VFD Crash / Vulnerability Causes Nuclear Plant Failure
The following articulates a real world case study and example why protocol stack security and reliability is so important. Excerpt From From a NRC report dated April 17, 2007
On August 19, 2006, operators at Browns Ferry, Unit 3, manually scrammed the unit following a loss of both the 3A and 3B reactor recirculation pumps. …
The licensee determined that the root cause of the event was the malfunction of the VFD controller because of excessive traffic on the plant ICS network. … The licensee could not conclusively establish whether the failure of the PLC caused the VFD controllers to ...
Read full story
-
Tuesday, May 15, 2007
Wurldtech Labs Announces First Set of Achilles Certified™ Industrial Controllers.
Six Industrial Controllers Earn Wurldtech Labs Achilles™ Security Certification Vancouver, BC May 15, 2007 – Wurldtech Labs, an independent division of Wurldtech Security Technologies, announced today the results of its initial round of Achilles™ Certification Testing. The following six products earned The Achilles™ Level 1 Certification: CENTUM CS 3000 R3 Field Control Unit – Yokogawa Electric Corporation; CENTUM CS 3000 R3 Vnet Router – Yokogawa Electric Corporation; DeltaV™ Controller – Emerson Process Management; ProSafe®-RS Vnet/IP Safety Control Unit – Yokogawa Electric Corporation; Tricon™ Safety Controller – Invensys Process Systems – Triconex; Trusted™ Safety Controller – ICS Triplex.
“As business and ...
Read full story
-
Monday, May 14, 2007
Automated Testing: Step by Step
Automated testing is inherently difficult. Worse, there is spotty coverage of the topic in university courses and experienced personnel are scarce in industry. As a result, there is a lot of confusion about the most important concepts and techniques.
Suppose that we want to perform automated testing of a networked SCADA device: the device-under-test or DUT. Typically, the following six steps are required:
Build the test harness. Configure a PC to send packets to, and receive packets from the DUT. The PC may use a commercial HMI or custom software to send and receive the packets. The PC may also ...
Read full story
-
Monday, May 14, 2007
Controllability and Observability in Test Automation
Once the test inputs have been selected and the expected outputs determined, test execution can begin. The cost of test execution is heavily influenced by two factors: controllability and observability. Controllability refers to the ease with which inputs may be supplied to the device-under-test (DUT). Observability refers to the ease with which outputs from the DUT may be observed.
Controllability and observability are useful in two important ways:
Controllability and observability help testers to predict test automation problems. Consider a test configuration using a GUI-based HMI to test a device. Here the controllability is poor: the inputs are supplied with ...
Read full story