Unhelpful Mystery Why hasn't ICS-CERT or some other CERT or the security vendors issuing bulletins announced publicly the three ICS vendors that were distributing malware with their ICS software and the energy sector websites redirecting to a malware delivering site?...

Michael Toecker recently has joined the ranks of Digital Bond alumni and is starting his own firm. Here is his farewall blog entry. Best of luck Mike and welcome to the world of being a small business owner. A few others have known this for a while, but I've left...

I believe the last time ICS-CERT announced malware that specifically attacked a control system product or protocol was back on July 20, 2010. At that time I naively railed that DHS / INL / ICS-CERT should be thoroughly investigating this and determining the impact to...

I came a day early to South Florida this week to check out the newest official S4x15 hotel: the Surfcomber Hotel in South Beach. Those still wanting large rooms and suites, luxury, quieter beach and close to the best malls and the Kovens Center can stay at the Trump...

Bloomberg published more detail on the "UglyGorilla" attack on pipeline SCADA. It's worth reading past some of the hyperbole in the article to learn what information was taken. "Operatives vacuumed up caches of e-mails, engineering PDFs and other documents, but it was...

The ICS security community is still tiny, so when a large vendor recruits five or so names in the industry it gets some attention. They are placing at least a small bet that there is enough business to scale to a size worth pursuing. Security vendors have tried...

S4xJapan: October 14-15 in Toyko I had a bit of fun in Tokyo last month creating a logo for S4xJapan. In Japan people use a hanko, an ink stamp, to sign documents ranging from Fedex or Black Cat delivery acknowledgment to important official documents. A hanko is...

The German government's National Cyber Defense Center has little to show over the last three years, according to the German Government. The Langner Group covers the story of a classified report that was leaked to the press. A small number of employees who lacked...

I attended my first ICSJWG since 2011 last week in Indianapolis. It was an ok event with some interesting talks and a chance to reconnect with familiar faces in the ICS industry. It is however a far cry from the must attend DHS event back when it was called PCSF. I...

I had finished my presentation on a wide variety of topics Big Data / Cloud Computing / Internet of Things / ICS remote access, and the Q&A had started. After stressing in the presentation that ICS data can be shared anywhere without jeopardizing the integrity and...

I'm very pleased to announce Reid Wightman is returning to Digital Bond after a couple of years at IOActive. Reid will be leading a new division, Digital Bond Labs. He will write soon on what Labs is and what it will do, but let me talk about the reason we formed...

Dark Reading reports this week on Bitsight Technologies security ratings for the utility industry. Bitsight scored the sector as second highest in security posture, with the financial industry rated first. This scoring is primarily based on the corporate network, not...

The idea of ICS security metrics is popular, but actual measurable metrics are rare. The ISA99 committee is tackling this hard problem with Technical Report 62443-1-3 System Security Conformance Metrics, now out for ballot. Section 4.2 Metrics Development Checklist is...

Positive Hack Days in Moscow had a cool Critical Infrastructure Attack contest. "The contest's participants will have to deal with a thermal power station, transport and city illumination systems and also with cranes and industrial robots." Looking forward to hearing...

The January - April 2014 edition of the ICS-CERT Monitor was chock full of interesting facts and factoids. Here is what caught my eye. Internet Accessible Control Systems Facts - Three examples of Internet accessible control systems are described. The value is in the...

President Obama tasked NIST with creating a Cybersecurity Framework (CSF) to help secure the critical infrastructure. NIST released Version 1.0 of the CSF on February 12th. We have had a chance to dig into the CSF and even use it in a few consulting engagements, so...

Tofino's response to Windows XP end of life reminds me of Maslow's Hammer: "I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail." These industrial firewalls have their place, and we have tested and recommended them...

Digital Bond is bringing S4 to Tokyo this October, and we are looking for excellent sessions for the two-day event. The event will be held in English and Japanese with simultaneous translation as appropriate. We welcome your session proposals in English or Japanese as...

Another ICS security acquisition this week - GE buys Wurldtech. Wurldtech is known most for their Achilles fuzz testing tool and certification. It was an early entrant in ICS fuzzing and has strong relationships with Shell and other asset owners and vendors in oil and...

The President/CEOs of the American Public Power Association (APPA), Edison Electric Institute (EEI), and National Rural Electric Cooperative Association (NRECA) felt a recent WSJ article critical of the electric sector's cyber security "warrants response from the...

The Department of Energy issued an update to their Cybersecurity Procurement Language for Energy Delivery Systems. Useful document if you are working on an ICS RFP. Will they develop an Appendix that will map the requirement statements to NIST CSF sub-category...

Stephen has been busy cranking out the Project Redpoint Nmap enumeration scripts for ICS applications, devices and protocols. The latest we have made public is a NSE to identify and enumerate EtherNet/IP devices. EtherNet/IP is used in the Logix family of Allen...

Joe Weiss's annual ICS Security Conference (aka WeissCon) has been on, then off, and now back on again. Well, sort of. SecurityWeek has purchased the event from Joe. The press release states Joe "will remain heavily involved in the event series as a key member of...

Bri Rolston for Idaho National Laboratory (INL) session focuses on a defender using threat intelligence. She makes a hypothesis - "Why isn't threat intelligence better utilized? The problem is a consumption issue, not data availability". Bri defends that hypothesis...

We were thrilled to have some of the world's top security researchers enter the ICS world and present at S4x14. In this case, S4 veteran Darren Highfill introduced langsec pioneers Sergey Bratus and Meredith Patterson to the world of ICS, and they worked together to...

I challenge S4x14 speakers to have so much technical meat that they leave 1/3 of the audience behind, Seth Bromberger of NCI Security took me up on this in a math heavy talk on incident response in a smart grid network. However he explains the graph theory with...

The court battle between Battelle/INL and Corey Thuen at Southfork Security is over. The settlement agreement gives Battelle all rights to Thuen's Visdom product. While the case hinged on whether Visdom was a copy of Sophia and the Thuen employment agreement, the...

Digital Bond recently released two Nmap Scripting Engine (NSE)  scripts under our Project Redpoint. The second NSE was an attempt to convert S7 enumeration scripts written in Python by SCADA Strange Love into an Nmap NSE. Over the course of development...

Redpoint is our internal project to develop NSE scripts for Nmap to identify and enumerate ICS devices. We are releasing some of the more helpful and less intrusive scripts on GitHub. The first was for BACnet devices, and now we have released a NSE script to identify...

Rotem Bar of Limpox Advanced Solutions closed out S4x14 with a look at how integrators can introduce vulnerabilities into an ICS. This point was actually brought out as well by Sistrunk and Crain with the DNP3 vulns. In that case the TMW master station was not...

Let me give you a real world anecdote to provide a little context about my comment to Kelly Jackson Higgins over at Dark Reading that the Windows XP end of life was in many ways a positive experience for ICS organizations that care about security. Last month I had a...

The Crain/Sistrunk disclosed vulnerabilities from fuzzing of master stations have all been related to DNP3 protocol stacks ... until today. ICS-CERT announced the first Modbus protocol stack vulnerability from Project Robus. Welcome to the party Modbus. We normally...

The Great Debate topic for S4x14 was: Are Risk Based Approaches Bound to Fail in Securing Critical Infrastructure ICS? The idea for the topic was a Bound to Fail paper by Ralph Langner and Perry Pederson for the Brookings Institution. We had Jim Gilsinn of Kenexis and...

The most frequent question I get from reporters is "why haven't we seen more security incidents in ICS"? It is now common knowledge that ICS are vulnerable, and eventually we will get the message out that they are, in fact, insecure by design. Why aren't we seeing...

Friendly reminder that there are a few seats still available for the CIPv5 Foundations course partnered with Digital Bond's Cyber Security for Generation (click link for more details). This two day course starts with the NERC CIPv5 Foundations course offered by...

Have a great research idea for "Automatic Detection and Patching of Embedded Systems"? Take a look at the DHS pre-solicitation notice announcement for funding under the Small Business Innovation Research (SBIR) program. There is a heavy Internet of Things slant...

All the fuss and tension over the security impact of Windows XP reaching its end of life next week is wildly overblown for the ICS community. Yes there still are a lot of asset owners running Windows XP in their ICS environment. And yes, many of these asset owners are...

Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of...

UPDATE - The video is added.  I wrongly assumed this was the lost 15-minute session. Sorry Sean. Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a...

Some of the big names, AT&T, Cisco, GE, IBM and Intel, have created the Industrial Internet Consortium. GE has been pushing the term Industrial Internet and may be the hub of the five founding partners, who by the way hold a majority of permanent seats in the IIC....

Digital Bond has had an internal research project to develop tools that discover and enumerate ICS applications and devices. We call this project Redpoint, and we use the growing list of tools with care on ICS security assessments and other projects for our clients....

Martin Libiki wrote "Why Cyber War Will Not and Should Not Have Its Grand Strategist" in the Spring 2014 edition of Strategic Studies Quarterly, and for a shorter take on this read Tim Steven's summary and analysis of this article. The pull quote from Steven's...

Dragos Security founders Matt Luallen and Robert Lee announced their first product: CyberLens.  CyberLens enables the passive discovery and identification of cyber assets on a network. I asked and Robert answered in a twitter discussion what makes CyberLens...

Monzy Merza of Splunk had a S4x14 defensive session. Working with an actual, deployed Building Management System (BMS), Monzy wrote python scripts to export the data from the BMS to Splunk for analysis. He focused solely on what could be detected from info logged...

We've covered some of the main points of the Mining Malware project, but haven't gotten to the real meat of the discussion; What would a search for automation software look like, and would it even be successful? To demonstrate this, I'm going to start with a small...

The big news of the week is Industrial Defender will be acquired by Lockheed Martin. Terms of the acquisition were not disclosed; it would be very interesting to know how an ICSsec product is valued in the market. Industrial Defender, formerly known as Verano, was one...

Back in ~2004 I started teaching a 3-day course on SCADA Security for Infosec Institute. Back then the term ICS didn't exist, and the INL/DHS courses were the only other options. I left the class after about 18 months with the realization training is hard work and not...

Digital Bond is pleased to announce our first S4 event outside of the US ... S4xJapan on October 14 - 15 in Tokyo. The call for papers will come out on May 1st, and the event will open for registration on August 1st. Here is some advance information: The 14th will be...

Spring is here, and that means generally cool, but not cold days.  Days where the wind blows through open windows, a light jacket is all you need for walking around, and both Daylight Savings Time and the axial tilt of this wonderful planet have graced us...

This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos. We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has...

Next week look for our announcement of S4xJapan. Dates are set; venues are booked; and we have a great plan to make this a first of its kind event in Japan. Also, Japanese readers should check out digitalbond.jp. We finally found some quality translators fluent in...

Yesterday's post on the CIPC meeting in St. Louis got a little long, thanks to exposition from me regarding the ES-ISAC.  If you find yourself wondering what I'm talking about, take a look at the post.  Onward... NERC staff also discussed the kickoff of the...