ICSage is a new addition this year to S4 that focuses on the creation, deployment, use and defense of ICS cyber weapons. It is on the Friday, January 17th following S4x14. See the full agenda and register now. While we were turning away a number of good talks for...

Continuing to highlight some sessions that will be at S4x14, Jan 14-17 in Miami Beach. Register Now. SCADA Apologist or SCADA Realist with Eric Byres and Dale Peterson Is Eric a SCADA Apologist or SCADA Realist? Is Dale living in a dream world filled with unrealistic...

Just in case you lacked the time to view the full S4x14 agenda, here are some highlights: Learn About All Those DNP3 Vulns with Adam Crain and Chris Sistrunk You've seen all the ICS-CERT bulletins regarding vulnerabilities in DNP3 protocol stacks. Hear from the two...

Whither EnergySec? We wrote about the Dept of Energy defunding of EnergySec/NESCO back in March. It was a major blow and resulted in the loss of a large part of the founding team. Like other small businesses, EnergySec has tried to survive and adjust to succeed in the...

Time to register for S4x14. The Friday sessions are almost full. ICSage has 15 seats left, 8 seats left for the Response and Serial Fuzzing of ICS Protocol Stacks class, and 9 seats left for the Introduction to Hardware Hacking for ICS Professionals class. S4x14...

Many asset owners would like a check box approach to security, where some independent, reputable organization certifies the system or component is secure by design. There are a growing number of security certifications that are trying to meet this need. Even if every...

Thanksgiving is over and S4x14 is filling up. Now is the time to guarantee your spot. Check out the agenda and register for Digital Bond's S4x14, January 14-17 in Miami Beach. Hotel Rooms The last date the conference hotels are holding rooms is 14 December. After that...

President Obama tasked NIST to develop a Cybersecurity Framework "to reduce cyber risks to critical infrastructure (the "Cybersecurity Framework"). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align...

And we're back ... with items from recent weeks. A reminder to check out the S4x14 agenda and register for the event Jan 14-17 in Miami Beach. ISA announced that Codenomicon's fuzzing tools are approved for use in the Communications Robustness Testing (CRT) portion of...

We have covered Insecure By Design issues in ICS repeatedly on this site and at S4, resulting in some challenges to define what would make a PLC Secure By Design. This is a much harder task, but I will present some thoughts in a series of articles beginning here. The...

Quick post on some big names making moves to new companies: Ralph Langner announced today that he is forming the Langner Group in the US, and the first hire is Perry Pederson. Perry led the DHS Control System Security Program a few years back and most recently was...

I'm Mike Toecker, Computer Engineer.  I've been working in the Electric Power industry for about 8 years now, doing cyber security and compliance work associated with the NERC CIP regulations. I've worked for a major electric power consulting engineering firm for...

A few more updates for those interested in S4x14. Press - We do allow a limited number of press to attend the event free of charge with priority given to the press that understands and covers ICS. If that describes you, and you would like to cover S4x14, send us an...

After the pauldotcom webcast there were some twitter challenges and questions on what would make a PLC Secure By Design. RT @chrissistrunk: @joshcorman ask Dale when does a controller device meet the "secure by design" stamp of approval? 🙂 <- @digitalbond ? —...

DHS's ICSJWG is next week in Rockville, MD??? I guess it is still happening, but there isn't a published agenda for the Nov 6-7 event on the ICSJWG web site area. Click on the announcement picture and you go 404. Plus there is the added bonus of no food at the event...

Our weekly update on what's new with S4x14 in the past week. Check out the agenda and register before the event sells out. Mobile App This year we will have a mobile app for S4x14 that will include the schedule, speakers, white papers, presentations, area info, social...

Today I'll be on the SCADA panel as part of pauldotcom's 350th episode. View it live at 11:30 EDT or listen to the recorded podcast later. Other panelists are Joel Langill, Patrick Miller and Justin Searle. If you are interested in the latest on the Battelle v....

The US District Court for the State of Idaho ruled that an ICS product developer's computer could be seized without him being notified or even heard from in court primarily because he states on his web site "we like hacking things and don't want to stop". Background...

On most Mondays we will provide an update on what is new with S4x14 week. Check out the agenda and register to guarantee your spot. News on Crain/Sistrunk Session You probably saw the Wired and New York Times article on Adam Crain and Chris Sistrunk's research...

Check it out. The agenda and registration site for 2014 edition of Digital Bond's S4 is now up. It is now a four day event running January 14th to 17th in Miami Beach. Wednesday / Thursday is the traditional S4 event. Very technical, bleeding edge offensive and...

ICS vulnerabilities are easy to find and often not even necessary because the ICS applications and protocols are insecure by design. So why are the vulnerabilities that Adam Crain and Chris Sistrunk found in DNP3 protocol stacks such a big deal? Three reasons why I...

GE announced the Industrial Internet. It's a broad, marketing announcement but here is a taste for loyal blog readers - "GE's Grid IQ SaaS allows utilities to monitor, manage and control their grid more intelligently without worrying about the ongoing IT costs....

This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...

This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...

This is the S4x13 lost episode. Somehow I erred in not processing and posting it, and only realized it while looking for similar sessions on vendor Security Development Lifecycle (SDL) successes and lessons learned. Apologies to Anthony and Akshay for my delay in...

This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...

While at DerbyCon this year there was many great talks that discussed new techniques and tactics. DerbyCon is a great conference that showcases some of the best security researches' work. Researches from around the world descend on Louisville Kentucky for 3 days to...

This post is the first of a series of blog posts from many in the Electric Power Cyber Security community illustrating what are believed to be gaps in the NERC CIP regulations that govern cyber security in the electric power sector. Over the next 30 days, these gaps...

This week I had the privilege of taking the Introduction to Hardware Hacking training at DerbyCon 2013. The class was taught by Josh Thomas, Kevin Finisterre, and Nathan Keltner.  Over two days the training covered topics such as setting up a home lab, EE...

The Cisco blog provides broad details on six watering hole attacks on energy sector sites. ICS vendor support sites are high value targets for any group targeting critical infrastructure. T&D World published a brief summary of the 11 ICS Security Research Projects...

I will be presenting at EnergySec 2013 in Denver this year, and will be at the conference to hear some of the great lineup that the EnergySec crew has put together. The EnergySec organization was originally  formed as a loose group of security, response, and...

Apologies for the lack of posts and slow approval of comments this week. Most of the team was in a very low bandwidth environment. Tenable Network Security, most famous for Nessus, has released Version 4.0 of the Passive Vulnerability Scanner (PVS). We have always...

The US National Science Foundation (NSF) has provided another $1.6M to a university group led by the University of Illinois to detect and prevent attacks on the power grid. The most interesting part is the use of the Bro network security monitor. So Bro should have...

Ralph Langner is best known for discovering how Stuxnet actually altered the logic in the Iranian's S7 PLCs, but he has a history of great research prior to that and is a strategic thinker as well. We gave his last book, Robust Control System Networks, a five star...

The US Government (NIST) has published A Discussion Draft of the Preliminary Cybersecurity Framework (pdf). This is a key preparatory document to read if you are attending the fourth workshop in Dallas, Texas on Sept 11-13. Patrick Coyle highlighted the US Department...

It started innocently enough with a tweet from Joel Langill. MS Warns of Permanent 0Day Exploits for WinXP http://t.co/MAyY7lYyQ8#SHnews huge impact to legacy #ICS - why you need more than patch mgmt — SCADAhacker (@SCADAhacker) August 26, 2013 and my response: RT...

OSIsoft was a strong and early supporter of the Bandolier Security Audit Files and providing guidance to their customers on the optimal security configuration for the PI Server. They are now releasing a tool similar to Bandolier that will audit the PI Server security...

The GE D20MX RTU is the latest example of a brand new, top of the line ICS field device that can be easily be compromised because the ICS protocols it supports are insecure by design. Who cares about security features, and even vulnerabilities, if an attacker can use...

The cancellation of the semi-annual conferences has curtailed ICSJWG public/private partnership efforts. Ostensibly this is due to the sequester. ICSJWG is now moving towards a quarterly webinar series on basic ICS security topics. On Oct 28-29 FIRST is holding a...

Guest author Robert Huber is a co-founder of Critical Intelligence, a for profit ICS Cyber Situational Awareness and Threat Intelligence provider. If you look closely at all the banter of information sharing, especially with a focus on the electric sector, you have to...

Thomas Rid of Kings College has a book out with the provocative title: Cyber War Will Not Take Place. Most of the discussion around this book has focused on the assertion in the title, and we cover this in the last third of the podcast. Thomas stresses words matter...

Phyllis Schneck has been selected to head up the cybersecurity division at the US DHS. Her experience leading InfraGard in its early years should be helpful as it required her to focus on public/private issues and deal with the government bureaucracy. She has some...

Admittedly a trivial post ... but what is the proper spelling and usage - cyber security or cybersecurity? I'm going to go back to the classic Military Cryptanalytics by Lambros Callimahos and William Friedman and my early days out of college writing technical papers...

Yesterday the White House announced the consideration of incentives in eight different areas to spur the adoption of the developing cybersecurity framework. Here is a quick analysis of the likelihood of each having an impact on changing behavior, ordered in most to...

We put the Apa and Hollman's Black Hat paper Compromising Industrial Facilities From 40 Miles Away in the Worth Reading last Friday. Later on Friday Walt Boyes savaged the researchers in a blog entry saying "There's a word for cyber researchers...

The news this week was dominated by the presentations at Black Hat, DefCon and Bsides Las Vegas. Charlie Miller and Chris Valasek got the most attention for their hacking of a Toyota Prius and Ford Escape. Breaking, accelerating, moving the steering wheel, all from a...

First we had GLEG developing SCADA exploit packs for Immunity's Canvas. Now ExCraft Labs out of Cypress is producing the SCADA Pack for Core Impact Pro. It includes 50 exploit modules with about 15 0days. Mostly usual suspects of WinCC, Cimplicity, Advantech, ... It's...

Despite good examples from Google, Microsoft, and others, Bug Bounty programs in SCADA and ICS are very limited. As in nearly non-existent. As in the only one I've heard about publicly is IntegraXor's non-monetary program, which hit mainstream last week. I had a...

Guest blogger Stephan Beirer is a Senior Information Security Consultant and head of Industrial Control Systems Security at GAI NetConsult GmbH, Berlin/Germany. He is the project editor of TR 27019 at ISO/IEC JTC 1 SC 27 and a domain expert for process control systems...

Slow summer week IntegraXor became the first ICS vendor to offer a bug bounty (that we are aware of). The bounty is software licenses not points ... "We do not pay out monetary reward but only pay off I/O point to use our software license." This was met with more...

Loyal blog readers know that PLC security is a focus of Digital Bond and a passion of mine. The proponents of defense in depth are selling a mirage if the critical endpoint can't be secured. Project Basecamp and other researcher disclosures have made this abundantly...

This week the third workshop trying to put together a US Cybersecurity Framework as required by President Obama's Executive order was held in San Diego. You could grab some of the flavor by following #NISTCSF or spend more time watching the webcast. I have yet to see...