SCADA security references

NIST published their Critical Infrastructure Protection guidelines and I also noted the National Information Assurance Program (NIAP) Process Control Security Requirements Forum (PCSRF). Wish I had these references about four years ago. This is an especially interesting paper, which I think was done for the PCSRF and ISO/IEC 15408:

http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf

The Gas Technology Institute/American Gas Association Encryption page also has some good pointers and here’s the Department of Energy (DoE) guide to CyberSecurity.

Drinking Alone Under The Moon

by Li Bai

Among the flowers from a pot of wine
I drink alone beneath the bright moonshine.
I raise my cup to invite the moon, who blends
Her light with my shadow and we’re three friends.
The moon does not know how to drink her share;
In vain my shadow follows me here and there.
Together with them for the time I stay
And make merry before spring’s spend away.
I sing the moon to linger with my song;
My shadow disperses as I dance along.
Sober, we three remain cheerful and gay;
Drunken, we part and each goes his way.
Our friendship will outshine all earthly love;
Next time we’ll meet beyond the stars above.

Gopher eats Microsoft

Once upon a time, Georgi Guninski wrote AIX buffer overflows. Aleph One provided shellcodes. Now everyone hammers on Microsoft vulnerabilities and Bill Gates is retraining his employees for security awareness. That seems like a good idea as UNIX gopher servers could suddenly gain popularity again. Think your “internal” network is safe? Think again as one of your users might connect to a gopher site…oh, and all versions of IE are vulnerable. Go Minnesota!

Would you like Web Services with that?

So let’s get one thing straight, the “web services” (WS) revolution is a new term for standards-based communication between networked applications. Does this change anything for anyone? Not really, not yet. An executive at a small software company asked me to help them decide what to do about WS, so it’s been on my mind lately. The rather sharp-witted Register points out a clear case where not even Microsoft or Sun can figure out how to turn the WS hype into real value for customers.

Packet Trap

There’s something really nice about a good pasta sauce. There are so many recipes on the web, it’s hard to know where to begin. My favorite, of course, is the easiest: a bit of your favorite oil, add some basil, pine nuts, and garlic in the blender. Just press a button and…pesto!

There’s something really suspicious about a product called the White Glove, but there’s no doubt that Fred Cohen has a unique view. In light of this, I think when I build a DMZ for a client tomorrow I will try to convince them to call it a “Packet Trap.”

the poetry of information security