In last week's Practical SCADA Security blog, I discussed how the new vulnerabilities discovered in DNP3 SCADA masters are carving big holes in the NERC's concept of the Electronic Security Perimeter (ESP). Dale Peterson started the ball rolling in his blog "Why the Crain/Sistrunk Vulnerabilities are a Big Deal". Then Darren Highfill posted a blog explaining that the vulnerabilities don't even require the attacker climb a fence.

If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for 9 products using the DNP3 protocol have been released by the ICS-CERT, with another 21 SCADA product disclosures reportedly on their way. Even the New York Times and Wired Magazine have picked up this story.

Eric Byres: One of the statements I continue to hear as I talk to executives, managers and engineers is “None of our SCADA or ICS equipment is accessible from the Internet.” This week’s blog contributor, Bob Radvanovsky of www.infracritical.com, explains Project SHINE – his effort to determine if this statement is fact or fiction.

We all agree that SCADA and Industrial Control System security needs to improve. However there is a lot of disagreement on what exactly needs to happen to make security for industrial systems easier to deploy and more effective. Last week’s blog exchange between me and Dale Peterson, is just one example of those differences. Now this week I am going to go in a different direction when it comes to improving security.

Honeywell and the ISA Security Compliance Institute last week announced that two more Honeywell products, the Experion® C300 DCS controller and the Experion fieldbus interface module (FIM) joined the Honeywell Safety Manager in achieving its pioneering ISASecure Level 1 certification. Following this announcement Dale Peterson questioned the value of some aspects of ISASecure certification.