The ICS Security Research Community is healthier than it has ever been. That’s my conclusion based on the S4x14 sessions and what I discuss in my 11-minute mini-keynote you can watch below.
S4x13 was all about 0days. Session after session clearly showing a researcher getting a field device, HMI application or some other ICS component; spending a few hours or days investigating it; and discovering pathetic security practices that made it easy to exploit and features that did not even require an exploit. There were over 20 0days at S4x13 and maybe as many as 50 depending on how you count vulns, capped by an Iranian graduate student student in Beijing and with no ICS experience quickly compromising a few field devices.
While many in the ICS community still are in denial about how vulnerable and fragile ICS devices and applications are, there is no need to further demonstrate this to the ICS security research community. So those low hanging fruit / insecure by design S4x14 proposals were rejected. Initially we were concerned if there would be enough new work to fill two days with technical meat. The researchers came through big time as you will see in the S4x14 videos as they are released.