Month: May 2006

Vendors must develop industry-specific security software with critical infrastructure sectors, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit. Currently, each sector has three or four software suppliers that everyone uses, he said. The same or similar products are used to protect oil refineries, hospitals, power grids and other facilities — all with different equipment and weaknesses. “No wonder we’ve got vulnerabilities,” Borg said.

Industrial control systems are the nervous system of critical infrastructure. They connect networks of sensors that read data, relay commands and send alerts when something goes wrong. The systems manage production and distribution of products and enforce safety procedures. Supervisory control and data acquisition systems and process control systems are two common types of control systems. SCADA systems place their computing power in the field and use radio and Internet connections to control many devices over a broad geographic area, often hundreds of miles. Process control systems centralize information technology in an operator’s console and offer real-time control of everything in a small geographic area or one facility. Facilities often have both kinds of systems in place.

SCADA and other control systems don’t have direct connections to the Internet, but malicious hackers can access them through facilities’ corporate networks that do connect to the Internet. The systems have little built-in security and are easy pickings. The electronic control systems that act as the nervous system for all critical infrastructures are insecure and pose disastrous risks to national security, cybersecurity experts warn. Average hackers can break into the systems, said Robert Graham, chief scientist at Internet Security Systems (ISS).

Attacks are rare because control systems are still complex and individualized enough to make cracking them difficult, although a hacker who knows a particular system well can break into it easily, said Jason Larson, senior cybersecurity researcher at the Idaho National Laboratory, which leads federal efforts into critical infrastructure cybersecurity. Even if a facility has not been attacked, that doesn’t mean it’s secure or the threat isn’t real, said Michael Assante, senior manager of critical infrastructure protection at the laboratory.

For example, during negotiations to provide penetration testing to a critical infrastructure facility, the facility’s operators confidently told an ISS team they didn’t need help because their control system was already secure.

http://www.fcw.com/article94273-05-08-06-Print

It’s not the first time that Cupertino, Calif.-based Symantec has thrown down the gauntlet to Microsoft. Last month, Thompson branded the software giant a “Johnny-come-lately” into the security market. At the same time, he underlined that Symantec was setting its horizons to be a provider of all-around system protection, as opposed to a seller of antivirus software and other defense tools–a message Thompson also stressed at the Vision event.

In his remarks, Thompson also drew attention to Microsoft’s security record. It has come under criticism in the past for the flaws in its software. “We will make sure we utilise the strength of our global brands. Symantec is synonymous with security. Microsoft is synonymous with a lot of things, but security is not one of them,” he said. He added that Symantec would spend more on marketing, and added that it was not a “foregone conclusion” the Microsoft would “win” in the security marketplace. The company will also put resources into protecting customers with Microsoft systems.

“Our belief is that the Windows environment needs to be protected like any other. Tightening the (Microsoft) stack will be an important investment in the coming year,” Thompson said. He hinted that Symantec would give details about its marketing plans during its March quarter earnings call, scheduled for Tuesday.

Andy Buss, an analyst at U.K.-based IT consultancy Canalys, predicted that Microsoft’s planned security tools would have a fair impact on the consumer antivirus market but doubted whether businesses would adopt the products as readily. “Enterprises tend to chose proven technologies, are more conservative and are prepared to pay for the service,” he said. Buss added that Microsoft doesn’t have a track record of providing an integrated product lineup for the whole of the enterprise, and said there was a particular gap in its tools to manage and respond to virus outbreaks. “These are areas where Microsoft’s competitors can make hay,” he said.

http://news.zdnet.com/2100-1009_22-6069941.html

The ISA-99 Part 1 standard, ‘Security for Industrial Automation and Control Systems: Concepts, Terminology and Models,’ will define the concepts, terminology, and models of industrial automation and control systems security, establishing the basis for the remaining standards in the ISA-99 series.

The ISA-99 Part 2 standard, ‘Establishing an Industrial Automation and Control Systems Security Programme’, will provide guidance for developing a programme for the security of industrial automation and control systems.

http://www.processingtalk.com/news/isa/isa215.html

All supposedly critical. 2 Windows, 1 Exchange. They will require a reboot.