2014 Articles

Havex Hype & Unhelpful Mystery

Unhelpful Mystery Why hasn't ICS-CERT or some other CERT or the security vendors issuing bulletins announced publicly the three ICS vendors that were distributing malware with their ICS software and the energy sector websites redirecting to a malware delivering site?...

read more

Michael Toecker Starts Context Industrial Security

Michael Toecker recently has joined the ranks of Digital Bond alumni and is starting his own firm. Here is his farewall blog entry. Best of luck Mike and welcome to the world of being a small business owner. A few others have known this for a while, but I've left...

read more

Havex / Stuxnet / ICS-CERT / DHS

I believe the last time ICS-CERT announced malware that specifically attacked a control system product or protocol was back on July 20, 2010. At that time I naively railed that DHS / INL / ICS-CERT should be thoroughly investigating this and determining the impact to...

read more

South Beach Hotel for S4x15

I came a day early to South Florida this week to check out the newest official S4x15 hotel: the Surfcomber Hotel in South Beach. Those still wanting large rooms and suites, luxury, quieter beach and close to the best malls and the Kovens Center can stay at the Trump...

read more

Friday News & Notes

Bloomberg published more detail on the "UglyGorilla" attack on pipeline SCADA. It's worth reading past some of the hyperbole in the article to learn what information was taken. "Operatives vacuumed up caches of e-mails, engineering PDFs and other documents, but it was...

read more

FireEye / Mandiant Try The ICS Market

The ICS security community is still tiny, so when a large vendor recruits five or so names in the industry it gets some attention. They are placing at least a small bet that there is enough business to scale to a size worth pursuing. Security vendors have tried...

read more

S4xJapan Logo and Update

S4xJapan: October 14-15 in Toyko I had a bit of fun in Tokyo last month creating a logo for S4xJapan. In Japan people use a hanko, an ink stamp, to sign documents ranging from Fedex or Black Cat delivery acknowledgment to important official documents. A hanko is...

read more

Friday News & Notes

The German government's National Cyber Defense Center has little to show over the last three years, according to the German Government. The Langner Group covers the story of a classified report that was leaked to the press. A small number of employees who lacked...

read more

ICSJWG Needs A Refresh

I attended my first ICSJWG since 2011 last week in Indianapolis. It was an ok event with some interesting talks and a chance to reconnect with familiar faces in the ICS industry. It is however a far cry from the must attend DHS event back when it was called PCSF. I...

read more

My ICSJWG Prezi

I had finished my presentation on a wide variety of topics Big Data / Cloud Computing / Internet of Things / ICS remote access, and the Q&A had started. After stressing in the presentation that ICS data can be shared anywhere without jeopardizing the integrity and...

read more

Reid’s Back! Digital Bond Labs

I'm very pleased to announce Reid Wightman is returning to Digital Bond after a couple of years at IOActive. Reid will be leading a new division, Digital Bond Labs. He will write soon on what Labs is and what it will do, but let me talk about the reason we formed...

read more

Friday News & Notes

Dark Reading reports this week on Bitsight Technologies security ratings for the utility industry. Bitsight scored the sector as second highest in security posture, with the financial industry rated first. This scoring is primarily based on the corporate network, not...

read more

ISA99 Metrics

The idea of ICS security metrics is popular, but actual measurable metrics are rare. The ISA99 committee is tackling this hard problem with Technical Report 62443-1-3 System Security Conformance Metrics, now out for ballot. Section 4.2 Metrics Development Checklist is...

read more

Friday News & Notes

Positive Hack Days in Moscow had a cool Critical Infrastructure Attack contest. "The contest's participants will have to deal with a thermal power station, transport and city illumination systems and also with cranes and industrial robots." Looking forward to hearing...

read more

ICS-CERT Monitor Interesting Facts & Factoids

The January - April 2014 edition of the ICS-CERT Monitor was chock full of interesting facts and factoids. Here is what caught my eye. Internet Accessible Control Systems Facts - Three examples of Internet accessible control systems are described. The value is in the...

read more

NIST Cybersecurity Framework – 3 Months Later

President Obama tasked NIST with creating a Cybersecurity Framework (CSF) to help secure the critical infrastructure. NIST released Version 1.0 of the CSF on February 12th. We have had a chance to dig into the CSF and even use it in a few consulting engagements, so...

read more

Friday News and Notes

Tofino's response to Windows XP end of life reminds me of Maslow's Hammer: "I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail." These industrial firewalls have their place, and we have tested and recommended them...

read more

S4xJapan: Call For Presentations

Digital Bond is bringing S4 to Tokyo this October, and we are looking for excellent sessions for the two-day event. The event will be held in English and Japanese with simultaneous translation as appropriate. We welcome your session proposals in English or Japanese as...

read more

Friday News & Notes

Another ICS security acquisition this week - GE buys Wurldtech. Wurldtech is known most for their Achilles fuzz testing tool and certification. It was an early entrant in ICS fuzzing and has strong relationships with Shell and other asset owners and vendors in oil and...

read more

WSJ Letter: Better CIP Defense Needed

The President/CEOs of the American Public Power Association (APPA), Edison Electric Institute (EEI), and National Rural Electric Cooperative Association (NRECA) felt a recent WSJ article critical of the electric sector's cyber security "warrants response from the...

read more

Friday News & Notes

The Department of Energy issued an update to their Cybersecurity Procurement Language for Energy Delivery Systems. Useful document if you are working on an ICS RFP. Will they develop an Appendix that will map the requirement statements to NIST CSF sub-category...

read more

Redpoint Release: EtherNet/IP Enumeration

Stephen has been busy cranking out the Project Redpoint Nmap enumeration scripts for ICS applications, devices and protocols. The latest we have made public is a NSE to identify and enumerate EtherNet/IP devices. EtherNet/IP is used in the Logix family of Allen...

read more

Friday News & Notes

Joe Weiss's annual ICS Security Conference (aka WeissCon) has been on, then off, and now back on again. Well, sort of. SecurityWeek has purchased the event from Joe. The press release states Joe "will remain heavily involved in the event series as a key member of...

read more

S4x14 Video: Language Theoretic Security Applied to ICS

We were thrilled to have some of the world's top security researchers enter the ICS world and present at S4x14. In this case, S4 veteran Darren Highfill introduced langsec pioneers Sergey Bratus and Meredith Patterson to the world of ICS, and they worked together to...

read more

S4x14 Video: Graph Theory for Incident Response in Smart Grid

I challenge S4x14 speakers to have so much technical meat that they leave 1/3 of the audience behind, Seth Bromberger of NCI Security took me up on this in a math heavy talk on incident response in a smart grid network. However he explains the graph theory with...

read more

Friday News & Notes

The court battle between Battelle/INL and Corey Thuen at Southfork Security is over. The settlement agreement gives Battelle all rights to Thuen's Visdom product. While the case hinged on whether Visdom was a copy of Sophia and the Thuen employment agreement, the...

read more

NSE: Lessons In Coding

Digital Bond recently released two Nmap Scripting Engine (NSE)  scripts under our Project Redpoint. The second NSE was an attempt to convert S7 enumeration scripts written in Python by SCADA Strange Love into an Nmap NSE. Over the course of development...

read more

Redpoint Release: Siemens S7 Enumeration

Redpoint is our internal project to develop NSE scripts for Nmap to identify and enumerate ICS devices. We are releasing some of the more helpful and less intrusive scripts on GitHub. The first was for BACnet devices, and now we have released a NSE script to identify...

read more

S4x14 Video: Poor API’s Lead To Integrator Provided Vulns

Rotem Bar of Limpox Advanced Solutions closed out S4x14 with a look at how integrators can introduce vulnerabilities into an ICS. This point was actually brought out as well by Sistrunk and Crain with the DNP3 vulns. In that case the TMW master station was not...

read more

XP EoL As A Valuable Experience

Let me give you a real world anecdote to provide a little context about my comment to Kelly Jackson Higgins over at Dark Reading that the Windows XP end of life was in many ways a positive experience for ICS organizations that care about security. Last month I had a...

read more

Friday News & Notes

The Crain/Sistrunk disclosed vulnerabilities from fuzzing of master stations have all been related to DNP3 protocol stacks ... until today. ICS-CERT announced the first Modbus protocol stack vulnerability from Project Robus. Welcome to the party Modbus. We normally...

read more

S4x14 Video: Are Risk Based Approaches Bound to Fail?

The Great Debate topic for S4x14 was: Are Risk Based Approaches Bound to Fail in Securing Critical Infrastructure ICS? The idea for the topic was a Bound to Fail paper by Ralph Langner and Perry Pederson for the Brookings Institution. We had Jim Gilsinn of Kenexis and...

read more

Ready For Attack, Sir!

The most frequent question I get from reporters is "why haven't we seen more security incidents in ICS"? It is now common knowledge that ICS are vulnerable, and eventually we will get the message out that they are, in fact, insecure by design. Why aren't we seeing...

read more

Last Chance for the EnergySec and Digital Bond Training

Friendly reminder that there are a few seats still available for the CIPv5 Foundations course partnered with Digital Bond's Cyber Security for Generation (click link for more details). This two day course starts with the NERC CIPv5 Foundations course offered by...

read more

Friday News & Notes

Have a great research idea for "Automatic Detection and Patching of Embedded Systems"? Take a look at the DHS pre-solicitation notice announcement for funding under the Small Business Innovation Research (SBIR) program. There is a heavy Internet of Things slant...

read more

XP EoL: Little Impact to ICS Security

All the fuss and tension over the security impact of Windows XP reaching its end of life next week is wildly overblown for the ICS community. Yes there still are a lot of asset owners running Windows XP in their ICS environment. And yes, many of these asset owners are...

read more

S4x14 Session: You Name It; We Analyze It

Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of...

read more

S4x14 Session: At Least Pretend You Care

UPDATE - The video is added.  I wrongly assumed this was the lost 15-minute session. Sorry Sean. Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a...

read more

Friday News & Notes

Some of the big names, AT&T, Cisco, GE, IBM and Intel, have created the Industrial Internet Consortium. GE has been pushing the term Industrial Internet and may be the hub of the five founding partners, who by the way hold a majority of permanent seats in the IIC....

read more

Redpoint: Discover & Enumerate BACnet Devices

Digital Bond has had an internal research project to develop tools that discover and enumerate ICS applications and devices. We call this project Redpoint, and we use the growing list of tools with care on ICS security assessments and other projects for our clients....

read more

Is The Cyber Component of War Less Predictable?

Martin Libiki wrote "Why Cyber War Will Not and Should Not Have Its Grand Strategist" in the Spring 2014 edition of Strategic Studies Quarterly, and for a shorter take on this read Tim Steven's summary and analysis of this article. The pull quote from Steven's...

read more

Friday News & Notes

Dragos Security founders Matt Luallen and Robert Lee announced their first product: CyberLens.  CyberLens enables the passive discovery and identification of cyber assets on a network. I asked and Robert answered in a twitter discussion what makes CyberLens...

read more

S4x14 Video: Defending “Known Vulnerable” ICS

Monzy Merza of Splunk had a S4x14 defensive session. Working with an actual, deployed Building Management System (BMS), Monzy wrote python scripts to export the data from the BMS to Splunk for analysis. He focused solely on what could be detected from info logged...

read more

Mining Malware – Seeking, and Finding False Positives

We've covered some of the main points of the Mining Malware project, but haven't gotten to the real meat of the discussion; What would a search for automation software look like, and would it even be successful? To demonstrate this, I'm going to start with a small...

read more

Friday News & Notes

The big news of the week is Industrial Defender will be acquired by Lockheed Martin. Terms of the acquisition were not disclosed; it would be very interesting to know how an ICSsec product is valued in the market. Industrial Defender, formerly known as Verano, was one...

read more

ICSsec Training Options Abound

Back in ~2004 I started teaching a 3-day course on SCADA Security for Infosec Institute. Back then the term ICS didn't exist, and the INL/DHS courses were the only other options. I left the class after about 18 months with the realization training is hard work and not...

read more

Announcing S4xJapan, Oct 14-15 in Tokyo

Digital Bond is pleased to announce our first S4 event outside of the US ... S4xJapan on October 14 - 15 in Tokyo. The call for papers will come out on May 1st, and the event will open for registration on August 1st. Here is some advance information: The 14th will be...

read more

S4x14: HART As An Attack Vector

This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos. We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has...

read more

Friday News & Notes

Next week look for our announcement of S4xJapan. Dates are set; venues are booked; and we have a great plan to make this a first of its kind event in Japan. Also, Japanese readers should check out digitalbond.jp. We finally found some quality translators fluent in...

read more

CIPC Meeting, St. Louis – Part 2

Yesterday's post on the CIPC meeting in St. Louis got a little long, thanks to exposition from me regarding the ES-ISAC.  If you find yourself wondering what I'm talking about, take a look at the post.  Onward... NERC staff also discussed the kickoff of the...

read more

UPCOMING EVENTS

 

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host.

Sept 12 in Phoenix

I spoke at a private company event.

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.

 

 

2014 Articles

by | May 21, 2019