Friday, July 27, 2012

Cyber Security: Homes of the future are vulnerable to cyber attacks

Black Hat 2012 has been in Las Vegas all this week (7/21-26). There are always fascinating stories about cyber security that come out at the show, like this one from Click Orlando about how vulnerable homes of the future will be:


With every home on the smart grid, every home with multiple PCs, the ubiquitous smart phone and wireless tablets, the attack vectors would seem endless.  As technology advances, there is a heightened need for cyber security to combat the imminent consequences.


Monday, July 23, 2012

Cyber Security: AWWA - Water Treatment - Update

AWWA ACE12 — Dallas, TX June 10-13, 2012

The AWWA annual conference for 2012 has come and gone.  It was a great conference in many respects this year:  It was held in my home state of Texas, it was the first year we had a cyber security presence in our booth, I participated in my first standards committee meeting as a voting member, and we started reviewing the ANSI/AWWA G430 “Security Practices for Operation and Management” standard. 

Cyber security and water are two words I would have never thought would appear in the same sentence, given my background in process controls and the many times I’ve been at some remote well site with nothing but a chain link fence and a pad lock between me and the PLC (which I could access wirelessly) that operated the site.  Then, on that fateful day of September 11, 2001, everything changed.  Homeland Security Presidential Directive-7 identified the “Critical Infrastructure and key resources which provide the essential services that underpin American society.”  One of the eighteen was drinking water and waste water treatment systems.  In response, the Water Sector Coordinating Council Cyber Security Working Group (sponsored by American Water Works Association and the Department of Homeland Security) released the “Roadmap to Secure Control Systems in the Water Sector” in March 2008.  This document captured many findings and recommendations and is one of the driving factors behind the development of the ANSI/AWWA G430 standard. In my opinion, we are still in the phase of educating the industry about cyber security, its value, and the potential consequences of ignoring it. 

As late as last year (coincidently over the September 11th weekend) at the 2011 Water Security and Emergency Preparedness Conference in Nashville, TN, I saw hardly any cyber security representation.  Security was still identified as fences, locks, cameras, contamination monitoring—anything to physically keep the bad guys out.  There was little attention paid to that PLC behind the fence that was now directly accessible from the internet.  I’m glad to say that I think things are definitely changing.  I’ve had several opportunities to speak at regional AWWA/WEF events about cyber security and I managed to volunteer for the standards committee. Enquiries from water and wastewater clients are increasingly concerned about cyber security.  This year is looking bright; we just finished up the AWWA annual conference, the standard draft is making its rounds, I’ve had conversations with high-level members of AWWA saying that cyber security is a major initiative, and I’m on the schedule to present at the 2012 Water Security and Emergency Preparedness Conference “Best Practices in SCADA Cyber Security.” 

I look forward to seeing all of you in St. Louis, MO September 9-12, 2012.



Michael Martinez
Principal, Critical Infrastructure & Security Practice
Invensys


Tuesday, July 17, 2012

Cyber Security Advisor Newsletter - June 2012 vol 9

Volume 9 of the Invensys Critical Infrastructure and Security Practice (CISP) newsletter focuses on "Compliance vs. Cyber Security"

We have conversations about compliance with our clients on a regular basis.    There is typically some confusion what compliance means when it involves cyber security.    The discussion focuses a lot on what needs to be done to comply.    This edition covers some of the aspects for compliance programs and how they relate to Cyber Security.   Compliance is not always Regulatory,  compliance could be against internal requirements.

The Critical Infrastructure and Security Practice has the skills and the resources to help your clients no matter what industry.    Cyber security is so much more than Firewalls and Antivirus.   We are structured to help you with your entire Cyber Security program.


Click here for this months issue

Monday, July 2, 2012

Cyber Security: Hacking Drones, Students Play

On a dare (and a $1,000 wager) Texas college research students hacked into and hijacked a US Department of Homeland Security (DHS) drone using a technique called ‘spoofing’. The good news was it was an experiment put on for the DHS.  Definitely a teachable moment.  

Students hijack US drone for $1,000 wager - Indian Express