The Common Vulnerability Scoring System (CVSS) is designed as a numeric measure of vulnerability and is widely used in IT organizations as a method to understand and prioritize remediation efforts. When it comes to using CVSS scores in the world of the Internet of Things (IoT), Industrial Control Systems (ICS), or more broadly Operations Technology (OT), there are many challenges, and some would[...]
4 Online Scanning Methods That Won’t Take Your Plants Down It’s hard to believe it’s already been a week since I presented at S4x19 on assessment tools for ICS environments. After a brief introduction weighing the risks posed by traditional online tools versus the risk of doing nothing, I walked through four online scanning techniques that offer low impact, high value results. I know these can[...]
Supercharge your hardware security in IoT devices The IoT marketplace moves fast, and device vendors continuously struggle to balance speed to market with implementing proper security measures. When devices cross over between industrial control systems (ICS) and IoT connectivity (often referred to as Industrial IoT or IIoT) ensuring deployed devices are properly secure becomes paramount to[...]
Although value can be derived from offline methods such as paper-based framework assessments, many critical discoveries can only be uncovered through a technical assessment using online, active assessment techniques.
Meltdown and Spectre Overview On January 8, 2018, Revolutionary Security reported on Meltdown and Spectre, which are kernel-level vulnerabilities impacting the processing of unauthorized local memory. These vulnerabilities take advantage of a CPU feature called “speculative execution,” which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. The[...]
7 Questions to Achieve Awareness of the Security Posture of Your Environment After working as a consultant for several years, I sometimes think back to my days as a SCADA security analyst for an oil and gas company. If I knew then what I know now, how would I have done things differently? If I were responsible for keeping an oil and gas company’s assets, processes, and people safe from cyber[...]
In traditional IT security, there is heavy focus on data — data security, data breaches, data loss. It has often been said “it’s all about the data.” This generally isn’t the case for Industrial Control Systems (ICS). There are a few exceptions, but you will often hear discussion about the C-I-A triad for ICS where ‘C” (confidentiality) takes a lower priority position behind Availability and[...]
Many of us have accepted that having a 100% accurate inventory of “all the things” (networks, assets, data flows, etc.) is a pipe dream. To put it in NIST CSF terms, if you wait until you master the IDENTIFY function before you do anything in the remaining functions (PROTECT, DETECT, RESPOND, RECOVER), you will likely fail at securing even the most basic environments. So, the condition that[...]
“Our SCADA communications use AES256 and are 100% secure so we don’t worry too much about security.” That’s a real quote from a real Industrial Control System (ICS) manager from this decade. A technical assessment of that system proved otherwise—there were in fact real cybersecurity vulnerabilities that required immediate and long-term remediation.