Thursday, February 07, 2008

Why SCADA still is insecure

My friend Erik pointed me to this piece of information on the SCADA mailing list. A new SCADA security mailing list is in the works. This snippet is taken from the invitation mail sent to other mailing lists:
"Due to heightened security and awareness levels worldwide, ALL MESSAGES ARE WATCHED CAREFULLY.
Violators who report methods that are going to disable, damage, dismember, destroy, or disarm any control system,
SCADA device, or infrastructure will be reported to DHS (and/or their respective national or federal authority)."

Ex hacker-now-turned-to-tech-journalist Keving Poulsen, of wired magazine, had this remark:

"Only the SCADA community could conceive of a mailing list that tries to get you arrested for discussing security issues. And we wonder why SCADA is still insecure."

he might have a point there....

SCADA security in upcoming issue of IEEE Security & Privacy magazine

The very relevant and interesting IEEE Security & Privacy magazine will have the November/december issue focused on Process control security. The submission deadline is 4th of april of you would think of submitting an article.

See here for more information on the PCS IEEE issue.

Wednesday, February 06, 2008

The 2008 S4 Scada security conference

We recently atteded the S4 conference in Miami, USA, facilitated by Dale Peterson and the good people of Digital Bond. 

S4 is the SCADA Security Scientific Symphosium, a yearly event held in the end of january.

S4 is a rather small and intimate event that makes you feel that you are on the first row in the conference room and at the same time really have first hand access to the worlds technical expertise to the professionals in the SCADA Security arena. It is amazing to realize that there are only a few handful of people qualifying for that title.

The symposium had eight invited speakers, some very good, some less scientific or relevant. Both keynote speakers where really good. Day one Steve Lipner the Microsoft’s Senior Director of Security Engineering Strategy gave a talk on security with regards to systems and software development. If only SCADA vendors and other in the automation business would start to work according to this methods, things would certainly look a lot better.

Day two, Dave Aitel described the way a serious security researcher or a skilled attacker works when he (she?) reverse engineers executable code and proprietary and unpublished communications protocols. I just hope that this is the eye opener that many people really need. They all should know Shannons maxim and the Kerckhoff principle. The enemy knows the system. And the security should really depend on other factors that obscurity.

One of the better speakers with a really interesting topic, security in wireless systems, was Denis Foo Kune (depicted above) of Honeywell Research. His talk on ISA 100, Zigbee, WLAN and radio systems security was really nice.

For those of you not attending the symphosium, now there is a new opportunity for you to order the conference proceedings from Digital Bond.

According to Dale, Digital Bond plan to run S4 2009 again. The same dates and the same place. Mark your calendars.