CIPC met this past week in St. Louis, with a good agenda of cyber, physical, and compliance items. A bit of background for non-CIP folks, the CIPC stands for Critical Infrastructure Protection Committee, an advisory panel to NERC and the ES-ISAC "in the security...

We lost three S4x14 videos due to technical difficulties at the end of the day on Wednesday. One of them was a great session from Stephen Dunlap and Jonathan Butts of the Air Force Institute of Technology entitled PLC Code Protection. The presentation slides from that...

It is close to a universal truth that vendors in all industries do not handle their first vulnerability disclosure incident well. We now know the same is true of User Groups with the DNP3 User Group as an example. The widespread DNP3 implementation  vulnerabilities...

Sean McBride of Critical Intelligence asserted at an RSA session it was a contractor named NEDA that introduced Stuxnet into Natanz. Mark Clayton broke the news in this article, and here is a link to Sean's RSA slides. Industrial Defender announced ASM support for the...

Last week there was an entertaining SCADASEC thread on the new SANS/GIAC Global Industrial Cyber Security Professional (GICSP) certification. To get your GICSP you take the 5-day SANS Course ICS410: ICS/SCADA Security Essentials and then get 69% or better on the...

Bryan Owen and OSIsoft have been supporters of ICS security research for almost a decade now. And Bryan had another interesting and pithy 15 minute session at S4x14. He covers 15 cyber incidents from around the world that affected their products and company ... and...

Patrick Coyle covers the new effort by the American Water Works Association (AWWA) to develop a Cybersecurity Guide and Cybersecurity Online Tool that attempts to follow the NIST Cybersecurity Framework. TechCrunch reports that Siemens Venture Capital "is launching a...

A live demo often leads to a presentation disaster, but this was not enough of a challenge of Eireann. He decided to run a Red Team / Blue Team exercise live on the S4 stage. http://vimeo.com/85361869 The target was a Siemens SCALANCE switch with a known...

The idea for mining malware for evidence of targeting automation came out of reading several papers on Stuxnet that discussed the methods used to intercept calls to the S7 PLC. To summarize, Stuxnet replaced the Siemens stock s7otbxdx.dll with a new version that...

Sorry for the delay, but lot's of news. ISASecure has launched the System Security Assurance (SSA) certification --- "a system-level cybersecurity certification for industrial automation and control systems (IACS) products." Very ambitious and something we will write...

Nathan Keltner and Josh Thomas of Atredis dove into hardware hacking with a focus on the Teridian System on Chip (SoC). The Teridian SoC is widely used in the smart meter market and is based on the Harvard Architecture. Nathan and Josh explain the differences between...

If you'll remember from a set of posts last year, I had floated the idea of mining malware for evidence of automation system compromise. The basic premise was to look for the evidence of interactions with control systems by analyzing malware samples graciously sent to...

This was the 7th year that JPCERT put on an ICS Security Conference in Tokyo. The conference hall had a capacity of 300 people, and it was sold out weeks before the event. Of course the price was very appealing --- free. Great to see the increased interest having...

At S4x14 this year, there was a great talk about using an Ardunio Shield to communicate via the HART Protocol by Alexander Bolshev. Michael Toecker Blogged about this talk earlier, read his blog for more details about the talk. As the talk shows the Ardunio shield is...

PLCpwn is a Digital Bond project that Stephen Hilt led and presented at S4x14. It was inspired by the Power Pwn that we had used with a number of clients to help them realize ignoring the physical security perimeter might be a mistake. http://vimeo.com/85668729...

After hearing about PLCpwn, S4 vet Jake Brodsky over on SCADA Perspective wrote "Only problem: If you have physical access to the network of a PLC or to the PLC itself, you own it. End of story. That's very unlikely to change." While the ICS community still is...

A very brief Friday News and Notes ... Critical Intelligence reports that Shodan is now scanning the default PROFINET port (TCP/34962). Last September Shodan added DNP3 to its scan list. S4x13 vet Ali Abbassi has released a "very basic Modbus fuzzer" on GitHub. This...

We encourage passionate disagreement and promotion of new, maybe slightly crazy concepts at S4 through Unsolicited Responses. Attendees can submit their idea for a 5 minute talk, with or without slides, at the event. Some are serious; some are funny. Normally we don't...

Eric Byres suggested we take our back and forth from the blogs to the stage at S4x14. I had 5 minutes to explain why SCADA Apologist, as I claim Eric is, are a major impediment to progress in ICS security. Then Eric had 5 minutes to respond why he was a SCADA Realist...

With all the furor about S4 over the past week, our readers may have missed some of the developments on the NERC CIP front. Last week, NERC and electric power representatives (and a bunch of us consulting folks) met in both Phoenix and Atlanta for a one-day conference...

We hear all the time about the lifecycle of ICS software and hardware being measured in decades rather than years. So even if new code goes through a security development lifecycle (SDL), the ICS community has a large amount of legacy code with latent vulnerabilities...

The NY Times reported NSA Devises Radio Pathway Into Computers. This program fits perfectly into my Preparation and Persistence talk at ICSage and the motivation behind the PLCpwn. I'll have more on this when we post the PLCpwn video, but readers can think about the...

As discussed in an earlier blog, attendees of S4x14 wanted to interact with ICS devices they may not have seen before, or even in some case just wanted more practice with devices they know quite well.  It also allowed people from the novice to the advanced to have...

We decided to move up the release of Adam Crain / Chris Sistrunk S4x14 video because DISTRIBUTECH is next week in San Antonio. This is a big electric sector event and the DNP3 Technical Committee meets in conjunction with this event. The story of vulns in the DNP3...

Jason kicked off S4x14 with an instant classic S4 talk, and not because it spawned a lot of triangle jokes. 4kB of free space. That is all Jason had on this sensor to implement the attack and whatever measures to hide the attack from the operator. This is not enough...

At the S4x14 conference in Miami this past week, Alexander Bolshev of ERPScan gave an presentation on his work on the Highway Addressable Remote Transducer protocol (HART). HART is a commonly used industrial protocol for communication over legacy 4-20 ma...

Last Monday was a busy day for Digital Bond and volunteers at S4x14 setting up the ICS Village. Starting with laying out and setting up networks for attendees of the conference to utilize to reach the devices inside the ICS Village. As shown in previous blogs, there...

The ICS Security Research Community is healthier than it has ever been. That's my conclusion based on the S4x14 sessions and what I discuss in my 11-minute mini-keynote you can watch below. http://vimeo.com/84615727 S4x13 was all about 0days. Session after session...

Every year we invite a small number of press to cover S4. We typically pick a couple from the technical press and others from the more mainstream press, and we try to get reporters with a history of covering ICS security. This is not only because they are likely to...

<<< ICSage on Friday is sold out, but there are still spots available for S4x14 and OTDay. Register now.>>> The ICS Village is another new addition to S4 in 2014. We want to provide an environment where attendees can attack, defend and interact with...

Meeting and reconnecting with your peers is a big part of any conference. S4x14 draws a unique, highly technical and international attendee base --- this year over half the attendees are from outside the US (see agenda, courses, hotels and register here). In...