S4x14 Agenda Out / Registration Opens

Check it out. The agenda and registration site for 2014 edition of Digital Bond’s S4 is now up. It is now a four day event running January 14th to 17th in Miami Beach. Wednesday / Thursday is the traditional S4 event. Very technical, bleeding edge offensive and...

Why Crain / Sistrunk Vulns Are A Big Deal

ICS vulnerabilities are easy to find and often not even necessary because the ICS applications and protocols are insecure by design. So why are the vulnerabilities that Adam Crain and Chris Sistrunk found in DNP3 protocol stacks such a big deal? Three reasons why I...

Friday News & Notes

GE announced the Industrial Internet. It’s a broad, marketing announcement but here is a taste for loyal blog readers – “GE’s Grid IQ SaaS allows utilities to monitor, manage and control their grid more intelligently without worrying about...

The Skinny on NERC CIP V5 Information Protection Programs

This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...

NERC CIP Gaps: External Networks? Not Our Problem.

This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...

S4x13 Video – Fuzzing Before and After You’re Ready

This is the S4x13 lost episode. Somehow I erred in not processing and posting it, and only realized it while looking for similar sessions on vendor Security Development Lifecycle (SDL) successes and lessons learned. Apologies to Anthony and Akshay for my delay in...

DerbyCon Follow Up

While at DerbyCon this year there was many great talks that discussed new techniques and tactics. DerbyCon is a great conference that showcases some of the best security researches’ work. Researches from around the world descend on Louisville Kentucky for 3 days...

NERC CIP Technical Gap – Removable Media

This post is the first of a series of blog posts from many in the Electric Power Cyber Security community illustrating what are believed to be gaps in the NERC CIP regulations that govern cyber security in the electric power sector. Over the next 30 days, these gaps...

Hardware Hacking and DerbyCon

This week I had the privilege of taking the Introduction to Hardware Hacking training at DerbyCon 2013. The class was taught by Josh Thomas, Kevin Finisterre, and Nathan Keltner.  Over two days the training covered topics such as setting up a home lab, EE...