ICS vulnerabilities are easy to find and often not even necessary because the ICS applications and protocols are insecure by design. So why are the vulnerabilities that Adam Crain and Chris Sistrunk found in DNP3 protocol stacks such a big deal? Three reasons why I...
GE announced the Industrial Internet. It’s a broad, marketing announcement but here is a taste for loyal blog readers – “GE’s Grid IQ SaaS allows utilities to monitor, manage and control their grid more intelligently without worrying about...
This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...
This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...
This is the S4x13 lost episode. Somehow I erred in not processing and posting it, and only realized it while looking for similar sessions on vendor Security Development Lifecycle (SDL) successes and lessons learned. Apologies to Anthony and Akshay for my delay in...
This post is part of a coordinated series of blog posts examining the details of version 5 of the NERC Critical Infrastructure Protection (CIP) standards. These posts, written by various individuals having direct experience with these standards, will point out...
While at DerbyCon this year there was many great talks that discussed new techniques and tactics. DerbyCon is a great conference that showcases some of the best security researches’ work. Researches from around the world descend on Louisville Kentucky for 3 days...
This post is the first of a series of blog posts from many in the Electric Power Cyber Security community illustrating what are believed to be gaps in the NERC CIP regulations that govern cyber security in the electric power sector. Over the next 30 days, these gaps...
This week I had the privilege of taking the Introduction to Hardware Hacking training at DerbyCon 2013. The class was taught by Josh Thomas, Kevin Finisterre, and Nathan Keltner. Over two days the training covered topics such as setting up a home lab, EE...
The Cisco blog provides broad details on six watering hole attacks on energy sector sites. ICS vendor support sites are high value targets for any group targeting critical infrastructure. T&D World published a brief summary of the 11 ICS Security Research Projects...
