2013 Articles

ICSage Agenda Updates

ICSage is a new addition this year to S4 that focuses on the creation, deployment, use and defense of ICS cyber weapons. It is on the Friday, January 17th following S4x14. See the full agenda and register now. While we were turning away a number of good talks for...

read more

More S4x14 Sessions

Continuing to highlight some sessions that will be at S4x14, Jan 14-17 in Miami Beach. Register Now. SCADA Apologist or SCADA Realist with Eric Byres and Dale Peterson Is Eric a SCADA Apologist or SCADA Realist? Is Dale living in a dream world filled with unrealistic...

read more

S4x14 Sessions

Just in case you lacked the time to view the full S4x14 agenda, here are some highlights: Learn About All Those DNP3 Vulns with Adam Crain and Chris Sistrunk You've seen all the ICS-CERT bulletins regarding vulnerabilities in DNP3 protocol stacks. Hear from the two...

read more

Friday News & Notes

Whither EnergySec? We wrote about the Dept of Energy defunding of EnergySec/NESCO back in March. It was a major blow and resulted in the loss of a large part of the founding team. Like other small businesses, EnergySec has tried to survive and adjust to succeed in the...

read more

S4x14 Update – 4

Time to register for S4x14. The Friday sessions are almost full. ICSage has 15 seats left, 8 seats left for the Response and Serial Fuzzing of ICS Protocol Stacks class, and 9 seats left for the Introduction to Hardware Hacking for ICS Professionals class. S4x14...

read more

Secure By Design – Part 2 Praying To False Certifications

Many asset owners would like a check box approach to security, where some independent, reputable organization certifies the system or component is secure by design. There are a growing number of security certifications that are trying to meet this need. Even if every...

read more

S4x14 Update

Thanksgiving is over and S4x14 is filling up. Now is the time to guarantee your spot. Check out the agenda and register for Digital Bond's S4x14, January 14-17 in Miami Beach. Hotel Rooms The last date the conference hotels are holding rooms is 14 December. After that...

read more

Friday News & Notes

And we're back ... with items from recent weeks. A reminder to check out the S4x14 agenda and register for the event Jan 14-17 in Miami Beach. ISA announced that Codenomicon's fuzzing tools are approved for use in the Communications Robustness Testing (CRT) portion of...

read more

Secure By Design: Part 1 Basics & RFP

We have covered Insecure By Design issues in ICS repeatedly on this site and at S4, resulting in some challenges to define what would make a PLC Secure By Design. This is a much harder task, but I will present some thoughts in a series of articles beginning here. The...

read more

People Moving

Quick post on some big names making moves to new companies: Ralph Langner announced today that he is forming the Langner Group in the US, and the first hire is Perry Pederson. Perry led the DHS Control System Security Program a few years back and most recently was...

read more

S4x14 Update 3

A few more updates for those interested in S4x14. Press - We do allow a limited number of press to attend the event free of charge with priority given to the press that understands and covers ICS. If that describes you, and you would like to cover S4x14, send us an...

read more

Insecure By Design / Secure By Design

After the pauldotcom webcast there were some twitter challenges and questions on what would make a PLC Secure By Design. RT @chrissistrunk: @joshcorman ask Dale when does a controller device meet the "secure by design" stamp of approval? 🙂 <- @digitalbond ? —...

read more

Friday News & Notes

DHS's ICSJWG is next week in Rockville, MD??? I guess it is still happening, but there isn't a published agenda for the Nov 6-7 event on the ICSJWG web site area. Click on the announcement picture and you go 404. Plus there is the added bonus of no food at the event...

read more

S4x14 Update 2

Our weekly update on what's new with S4x14 in the past week. Check out the agenda and register before the event sells out. Mobile App This year we will have a mobile app for S4x14 that will include the schedule, speakers, white papers, presentations, area info, social...

read more

Friday News and Notes

Today I'll be on the SCADA panel as part of pauldotcom's 350th episode. View it live at 11:30 EDT or listen to the recorded podcast later. Other panelists are Joel Langill, Patrick Miller and Justin Searle. If you are interested in the latest on the Battelle v....

read more

Call Yourself A Hacker, Lose Your 4th Amendment Rights

The US District Court for the State of Idaho ruled that an ICS product developer's computer could be seized without him being notified or even heard from in court primarily because he states on his web site "we like hacking things and don't want to stop". Background...

read more

S4x14 Update

On most Mondays we will provide an update on what is new with S4x14 week. Check out the agenda and register to guarantee your spot. News on Crain/Sistrunk Session You probably saw the Wired and New York Times article on Adam Crain and Chris Sistrunk's research...

read more

S4x14 Agenda Out / Registration Opens

Check it out. The agenda and registration site for 2014 edition of Digital Bond's S4 is now up. It is now a four day event running January 14th to 17th in Miami Beach. Wednesday / Thursday is the traditional S4 event. Very technical, bleeding edge offensive and...

read more

Why Crain / Sistrunk Vulns Are A Big Deal

ICS vulnerabilities are easy to find and often not even necessary because the ICS applications and protocols are insecure by design. So why are the vulnerabilities that Adam Crain and Chris Sistrunk found in DNP3 protocol stacks such a big deal? Three reasons why I...

read more

Friday News & Notes

GE announced the Industrial Internet. It's a broad, marketing announcement but here is a taste for loyal blog readers - "GE's Grid IQ SaaS allows utilities to monitor, manage and control their grid more intelligently without worrying about the ongoing IT costs....

read more

The Skinny on NERC CIP V5 Information Protection Programs

This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...

read more

NERC CIP Gaps: External Networks? Not Our Problem.

This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...

read more

S4x13 Video – Fuzzing Before and After You’re Ready

This is the S4x13 lost episode. Somehow I erred in not processing and posting it, and only realized it while looking for similar sessions on vendor Security Development Lifecycle (SDL) successes and lessons learned. Apologies to Anthony and Akshay for my delay in...

read more

DerbyCon Follow Up

While at DerbyCon this year there was many great talks that discussed new techniques and tactics. DerbyCon is a great conference that showcases some of the best security researches' work. Researches from around the world descend on Louisville Kentucky for 3 days to...

read more

NERC CIP Technical Gap – Removable Media

This post is the first of a series of blog posts from many in the Electric Power Cyber Security community illustrating what are believed to be gaps in the NERC CIP regulations that govern cyber security in the electric power sector. Over the next 30 days, these gaps...

read more

Hardware Hacking and DerbyCon

This week I had the privilege of taking the Introduction to Hardware Hacking training at DerbyCon 2013. The class was taught by Josh Thomas, Kevin Finisterre, and Nathan Keltner.  Over two days the training covered topics such as setting up a home lab, EE...

read more

Friday News & Notes

The Cisco blog provides broad details on six watering hole attacks on energy sector sites. ICS vendor support sites are high value targets for any group targeting critical infrastructure. T&D World published a brief summary of the 11 ICS Security Research Projects...

read more

Digital Bond is at EnergySec 2013

I will be presenting at EnergySec 2013 in Denver this year, and will be at the conference to hear some of the great lineup that the EnergySec crew has put together. The EnergySec organization was originally  formed as a loose group of security, response, and...

read more

Friday News & Notes

Apologies for the lack of posts and slow approval of comments this week. Most of the team was in a very low bandwidth environment. Tenable Network Security, most famous for Nessus, has released Version 4.0 of the Passive Vulnerability Scanner (PVS). We have always...

read more

Friday News & Notes

The US National Science Foundation (NSF) has provided another $1.6M to a university group led by the University of Illinois to detect and prevent attacks on the power grid. The most interesting part is the use of the Bro network security monitor. So Bro should have...

read more

Langner’s RIPE

Ralph Langner is best known for discovering how Stuxnet actually altered the logic in the Iranian's S7 PLCs, but he has a history of great research prior to that and is a strategic thinker as well. We gave his last book, Robust Control System Networks, a five star...

read more

Friday News & Notes

The US Government (NIST) has published A Discussion Draft of the Preliminary Cybersecurity Framework (pdf). This is a key preparatory document to read if you are attending the fourth workshop in Dallas, Texas on Sept 11-13. Patrick Coyle highlighted the US Department...

read more

Chicken, Egg, and Chicken Omelette with Salsa

It started innocently enough with a tweet from Joel Langill. MS Warns of Permanent 0Day Exploits for WinXP http://t.co/MAyY7lYyQ8#SHnews huge impact to legacy #ICS - why you need more than patch mgmt — SCADAhacker (@SCADAhacker) August 26, 2013 and my response: RT...

read more

Friday News & Notes

OSIsoft was a strong and early supporter of the Bandolier Security Audit Files and providing guidance to their customers on the optimal security configuration for the PI Server. They are now releasing a tool similar to Bandolier that will audit the PI Server security...

read more

ICS Protocols Make New GE D20 RTU Still Insecure By Design

The GE D20MX RTU is the latest example of a brand new, top of the line ICS field device that can be easily be compromised because the ICS protocols it supports are insecure by design. Who cares about security features, and even vulnerabilities, if an attacker can use...

read more

Friday News & Notes

The cancellation of the semi-annual conferences has curtailed ICSJWG public/private partnership efforts. Ostensibly this is due to the sequester. ICSJWG is now moving towards a quarterly webinar series on basic ICS security topics. On Oct 28-29 FIRST is holding a...

read more

A View on Information Sharing and Threat Intelligence

Guest author Robert Huber is a co-founder of Critical Intelligence, a for profit ICS Cyber Situational Awareness and Threat Intelligence provider. If you look closely at all the banter of information sharing, especially with a focus on the electric sector, you have to...

read more

Friday News & Notes

Phyllis Schneck has been selected to head up the cybersecurity division at the US DHS. Her experience leading InfraGard in its early years should be helpful as it required her to focus on public/private issues and deal with the government bureaucracy. She has some...

read more

Cyber Security or Cybersecurity

Admittedly a trivial post ... but what is the proper spelling and usage - cyber security or cybersecurity? I'm going to go back to the classic Military Cryptanalytics by Lambros Callimahos and William Friedman and my early days out of college writing technical papers...

read more

Analysis of Government Incentive Proposals

Yesterday the White House announced the consideration of incentives in eight different areas to spur the adoption of the developing cybersecurity framework. Here is a quick analysis of the likelihood of each having an impact on changing behavior, ordered in most to...

read more

Research and Context

We put the Apa and Hollman's Black Hat paper Compromising Industrial Facilities From 40 Miles Away in the Worth Reading last Friday. Later on Friday Walt Boyes savaged the researchers in a blog entry saying "There's a word for cyber researchers...

read more

Friday News & Notes

The news this week was dominated by the presentations at Black Hat, DefCon and Bsides Las Vegas. Charlie Miller and Chris Valasek got the most attention for their hacking of a Toyota Prius and Ford Escape. Breaking, accelerating, moving the steering wheel, all from a...

read more

Friday News & Notes

First we had GLEG developing SCADA exploit packs for Immunity's Canvas. Now ExCraft Labs out of Cypress is producing the SCADA Pack for Core Impact Pro. It includes 50 exploit modules with about 15 0days. Mostly usual suspects of WinCC, Cimplicity, Advantech, ... It's...

read more

More on IntegraXor’s Bug Bounty Program

Despite good examples from Google, Microsoft, and others, Bug Bounty programs in SCADA and ICS are very limited. As in nearly non-existent. As in the only one I've heard about publicly is IntegraXor's non-monetary program, which hit mainstream last week. I had a...

read more

ISO/IEC TR 27019 for Energy Utilities Published

Guest blogger Stephan Beirer is a Senior Information Security Consultant and head of Industrial Control Systems Security at GAI NetConsult GmbH, Berlin/Germany. He is the project editor of TR 27019 at ISO/IEC JTC 1 SC 27 and a domain expert for process control systems...

read more

Friday News & Notes

Slow summer week IntegraXor became the first ICS vendor to offer a bug bounty (that we are aware of). The bounty is software licenses not points ... "We do not pay out monetary reward but only pay off I/O point to use our software license." This was met with more...

read more

Unsolicited Response Podcast: Siemens S7 Security Features

Loyal blog readers know that PLC security is a focus of Digital Bond and a passion of mine. The proponents of defense in depth are selling a mirage if the critical endpoint can't be secured. Project Basecamp and other researcher disclosures have made this abundantly...

read more

Friday News & Notes

This week the third workshop trying to put together a US Cybersecurity Framework as required by President Obama's Executive order was held in San Diego. You could grab some of the flavor by following #NISTCSF or spend more time watching the webcast. I have yet to see...

read more

UPCOMING EVENTS

 

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host.

Sept 12 in Phoenix

I spoke at a private company event.

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.

 

 

2013 Articles

by | May 21, 2019