Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments [open pdf - 1MB]
"The U.S. Department of Homeland Security (DHS) National Cyber Security Division's Control Systems Security Program (CSSP) performs cyber security assessments of Industrial Control Systems (ICS) to help industry improve the security of the ICS used in critical infrastructures throughout the United States. A key part of this mission is the assessment of ICS to identify vulnerabilities that could put critical infrastructures at risk from a cyber attack. This report presents results from 15 ICS assessments performed under the CSSP from 2004 through 2008. Although information found in individual stakeholder reports is protected from disclosure, the security of the critical infrastructure as a whole can be improved by sharing information on common security problems with those in industry responsible for developing and maintaining ICS. For this reason, vulnerability information was collected, analyzed, and organized in a way that the most prevalent issues could be identified and mitigated by those responsible for individual systems without disclosing the identity of the associated ICS product. [...] This report represents a steadily growing understanding of ICS security issues and methods for mitigating current vulnerabilities as well as new technologies and approaches being developed in response to ICS security challenges. The assessment effort is expanding to new technologies as CSSP seeks a continuing understanding of the control systems being planned and deployed."
United States- Computer Emergency Readiness Team (US- CERT): http://www.us-cert.gov/