The news this week was dominated by the presentations at Black Hat, DefCon and Bsides Las Vegas. Charlie Miller and Chris Valasek got the most attention for their hacking of a Toyota Prius and Ford Escape. Breaking, accelerating, moving the steering wheel, all from a...
First we had GLEG developing SCADA exploit packs for Immunity’s Canvas. Now ExCraft Labs out of Cypress is producing the SCADA Pack for Core Impact Pro. It includes 50 exploit modules with about 15 0days. Mostly usual suspects of WinCC, Cimplicity, Advantech,...
Despite good examples from Google, Microsoft, and others, Bug Bounty programs in SCADA and ICS are very limited. As in nearly non-existent. As in the only one I’ve heard about publicly is IntegraXor’s non-monetary program, which hit mainstream last week. I...
Guest blogger Stephan Beirer is a Senior Information Security Consultant and head of Industrial Control Systems Security at GAI NetConsult GmbH, Berlin/Germany. He is the project editor of TR 27019 at ISO/IEC JTC 1 SC 27 and a domain expert for process control systems...
Slow summer week IntegraXor became the first ICS vendor to offer a bug bounty (that we are aware of). The bounty is software licenses not points … “We do not pay out monetary reward but only pay off I/O point to use our software license.” This...
Loyal blog readers know that PLC security is a focus of Digital Bond and a passion of mine. The proponents of defense in depth are selling a mirage if the critical endpoint can’t be secured. Project Basecamp and other researcher disclosures have made this...
This week the third workshop trying to put together a US Cybersecurity Framework as required by President Obama’s Executive order was held in San Diego. You could grab some of the flavor by following #NISTCSF or spend more time watching the webcast. I have yet...
The spring edition of the ICS-CERT Monthly Monitor’s lead story is “Brute Force Attacks On Internet Facing Control Systems”. It got picked up by a large number of the mainstream press including the Wall Street Journal. Author Rachel King points out that according to...
Between confusing standards, odd implementations, lack of security capability from control systems, and the craziness of The Audit, NERC CIP is not a field for the faint of heart. I’ve been doing work in this space for 8 years now, and I don’t pretend to...
This work, and slightly edited blog post, is from a new Project Basecamp researcher that prefers to remain behind the scenes. We welcome any researchers to join the Basecamp team. One of the most interesting “products” in Project Basecamp was CoDeSys,...
