Lutetium-
Hack Chat Transcript, Part 4
07/14/2021 at 20:35 • 0 comments![]()
Bingo![]()
In addition to many other things. Seems like a simple idea but why the hell haven't I ever thought of that?![]()
are there any recommended formats for SBOM?![]()
I suspect you did, but there's too many threads to chase![]()
I got a year of free thinking at airbus![]()
it did take about 6 months to break the noise floor of the predictions (augmented dickey fuller suggested 3 month was a limit)![]()
No... I love to claim I did but that one skipped me. I need to add this idea to some models.![]()
@anfractuosity - yes SPDX and CycloneDX, https://www.ntia.gov/sbom![]()
turns out old WW2 stats and little![]()
Little's law did the tirck![]()
Airbus owns the IP, but we agreed to publish most of it, and I can talk freely sometime about where it will go.![]()
@anfractuosity there are a few formats/frameworks. Depends on how you will be using it. Some are also in development.![]()
https://www.eia.gov/todayinenergy/detail.php?id=35652
Average frequency and duration of electric distribution outages vary by states
Interruptions in electricity service vary by frequency and duration across the many electric distribution systems that serve about 145 million customers in the United States. In 2016, customers experienced an average of 1.3 interruptions and went without power for four hours during the year.
![]()
Pylons are nice, but I miss motorwaysteps.co.uk. A website about the infrastructure access stairs on motorways (freeways). They all need to be designed, and cost many tens of thousands of (currency units) each. And you don't see them until someone mentions them to you.![]()
Love this!![]()
EIA is a great resource. I used them for the piece I wrote on petroleum pipelines, and a new piece coming out tomorrow on "Black Starts" for the grid![]()
Is DNS infrastructure? :D![]()
oooooh, I love that you're writing a blackstarts piece![]()
DNS is Critical infrastructure I'd say!![]()
@anfractuosity I am partial to the SBOM Energy stuff being done through the DOE/INL/NTIA![]()
You might like this simulation approach we made: https://onlinelibrary.wiley.com/doi/10.1111/risa.13291![]()
Thanks, I hope I do the topic justice. I only have 1500 words or so, tough to put in much detail.![]()
Not so much about blackstarts but estimating the impact of outages on say transport![]()
@eireann.leverett Eye of the Lucifer…. The hotest hell…. (would be my answer) 🤣🤣🤣![]()
My company is participating in the SBOM POC hosted by INL, usign the SAG-PM software representing a well known utility in hte mid Atlantic area![]()
doing intersectoral stuff is super hard, but the oxford team came up with a cool voronoi decomposition to estimate substation outage effects on train stations![]()
I think aDoulus is wrokign with OSIsoft on the software vendor side. REA is working on the consumer side of the SBOM POC![]()
aDolus is doing some great stuff.![]()
I guess if the talk is over, me and Patrick can have a whisky?![]()
I've got an "Emergency Decadence" at hand.![]()
Cheers, old friend. We need to do that sometime soon.![]()
Indeed![]()
I agree @Patrick C Miller they are one of only a handful oc C-SCRM vendors with the ability to process NTIA SBOM's. Microfot gobbled up Refirm Labs and IBM gobbled up BoxBoat. C-SCRM is becoming a thing![]()
A wiseman said: To make critical damage to electricity distribution, with still small effort and costs -> buy 2 offroads (Mitsubishi L200 e.g.), and use them to physically attack 2 big substations…. No APT, expensive research…..![]()
cool probability site for you risk nerds![]()
https://seeing-theory.brown.edu/
BROWN
DANIEL KUNIN![]()
Seeing Theory
A visual introduction to probability and statistics.
![]()
Our trust in infrastructure is inversely proportional to how well we understand it![]()
Have started looking into use of Bayes Theorem for vulnerability analysis - look interesting.![]()
It is powerful stuff, applying it is tricky. I think it's just about getting to know bayes as a tool regularly.![]()
It is very useful in many contexts![]()
Hoping to know more shortly.![]()
If you ever need us, I run a small cyber risk consultancy as well as doing cyber insurance.![]()
I'm bringing another academic on board soon who is looking for quantiative problems to solve.![]()
Will definitely keep that in mind - it's hard to find people with stats and cybersec proficiency![]()
We write code too, a more accurate name might be a think-code-do tank. -
Hack Chat Transcript, Part 3
07/14/2021 at 20:33 • 0 comments![]()
anomies = anomalies ;)![]()
@Dan Maloney I am thinking that there might be a Hackaday article just in this bibliography![]()
@andypugh - You may be right about that![]()
leverage your engineer, sit next to them learn everything from them these people know more than the average plant worker keep these people close and than make the frontrunners![]()
I used to start with doughnuts and coffee. By which I mean getting to know them better without asking anything. Then find some of their problems and help them solve it. Introduce security tools as ENGINEERING tools. For example, I taught the change management team to get hashes of firmware for CHANGE MANAGEMENT LOGS, and only then did I show them the value for security.![]()
@toet will take this approach and try it![]()
this everyday![]()
Also, understand that risk officers have to choose between a thousand "could happens". if you can quantify the impact then they start to pay attention.![]()
That's great, thanks!![]()
there's a subtle point there...you need (as security people) to have SOMEONE in risk meetings...not just to amplify your risks, but also to prevent other risks destroying good security where it does exist.![]()
most of all take the time to learn and like @eireann.leverett said coffee will get you a headstart![]()
let me give you an example:![]()
A unamed Norwegian electrical provider that existed since the sixties basically had a phone network because for safety reasons they needed a phone in every substation.![]()
it was old school copper pair![]()
so far so good, then it's 2000 and the CFO wants to save money and upgrade things, so they switch to IP telephony![]()
I mean why run a telephone company when you don't need to? All those copper repairs are expensive.![]()
Cue to talented and handsome penetration testers with hard hats and moustaches and viola, every time we pwned an IP phone we got a substation for free.![]()
What my point?![]()
A security person needed to be in ther telling the CFO and CRO why IP telephony could become a problem.![]()
Got it.![]()
You wouldn't have gone to that meeting as a security person, so someone needs to be in all those boring risk meetings :D![]()
Lol exactly![]()
Incidentally, norwegian hackers are off the hook and greetz to Hackeriet ;)![]()
![]()
![]()
https://hackeriet.no/index.en.html
Hackeriet
Norsk Blog Wiki 2021-06-22: Hackeriet has carefully reopened since the COVID-19 situation has improved in Oslo. All creatures welcome! 2021-05-26: Our IRC channel #oslohackerspace has moved to Libera.chat Stay safe, and be excellent to each other! Hackeriet is a community operated hackerspace in Oslo where people tinker with software, networks, art and hardware, learn from each other.
![]()
Loving it Patrick!![]()
S4x22 ICS Security Event
Set free a conservative, slow moving, change resistant community to discover new ideas and come up with innovative ways to use these new ideas to deploy secure, resilient and better ICS. 719 of the world's best in OT and ICS Security attended S4x20. S4x21 was lost to Covid.
![]()
CS3STHLM | Home
The Premier Cyber Security Conference for ICS/SCADA and Critical Infrastructure The Summit CS3STHLM - the Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems - is an annual summit that gather the most important stakeholders across critical processes and industries.
![]()
Great to see you! Awesome stuff!![]()
Electromagnetic Field
Electromagnetic Field is a non-profit UK camping festival for those with an inquisitive mind or an interest in making things: hackers, artists, geeks, crafters, scientists, and engineers. A temporary town of more than a two thousand like-minded people enjoying a long weekend of talks, performances, and workshops on everything from blacksmithing to biometrics, chiptunes to computer security, high altitude ballooning to lockpicking, origami to democracy, and online privacy to knitting.
Read this on Electromagnetic Field
![]()
:heart:![]()
https://en.wikipedia.org/wiki/The_Heroes_of_Telemark
The Heroes of Telemark - Wikipedia
The Heroes of Telemark is a 1965 British war film directed by Anthony Mann based on the true story of the Norwegian heavy water sabotage during the Second World War from Skis Against the Atom, the memoirs of Norwegian resistance soldier Knut Haukelid.
![]()
Can confirm. S4 and CS3 rock.![]()
I know that's our time, but I'll stick around a bit more. Too many friends in this party.![]()
Thank you for those insights @eireann.leverett and @toet !![]()
The 10,000 Year Clock
The full scale 10,000 Year Clock is now under construction. While there is no completion date scheduled, we do plan to open it to the public once it is ready. The essay below by Long Now board member Kevin Kelly discusses what we hope the Clock will be once complete.
![]()
Thx for pointing very interesting stuff 🙏😎![]()
I think this project was super cool.![]()
Yeah, by all means, keep the conversation going. I'll wait to pull the transcript -- too much good stuff![]()
MCH2022 - May Contain Hackers 2022
MCH2022 is a nonprofit outdoors hacker camp taking place in Zeewolde, the Netherlands. The event is organized for and by volunteers from and around all facets of the worldwide hacker community. Knowledge sharing, technological advancement, experimentation, connecting with your hacker peers and of course hacking are some of the core values of this event.
![]()
Did we already cover airgaps?![]()
/me ducks![]()
I think alot about infrastructure over time...especially 100 year chunks or more.![]()
next year its in the Netherlands again![]()
LOL![]()
ty![]()
I love visualisations like this: https://www.visualcapitalist.com/visualizing-50-years-of-the-g20s-energy-mix/![]()
@eireann.leverett I think it might have got lost in the scroll, but I seem to recall that, using Shodan, you got into some very interesting places?![]()
But I will say the "official" thank-you to Eireann for his time today, and to @andypugh for helping to set this up. Andy gave me the suggestion to reach out to Eireann, and I encourage everyone to do the same -- let me know who you want to hear from and I'll try to make it happen.![]()
You can't just come in here @Patrick C Miller and talk about airgaps, not until we've discussed in detail level 0 monitoring![]()
We did, and I forgot @Dick Brooks SBOM comments too, so I'll hit those.![]()
Also, a Danish event coming in November, for anyone in the area...![]()
https://insightevents.dk/events/scada/
![]()
Should I go ahead and say sensors?![]()
same as zero trust??![]()
We found a electrical substations, dams, foundries, and many other small and large infrastructural things.![]()
(runs and hides)![]()
Now it's like a yearly event where some masters student find infrastructure with Shodan. I never thought it would be a timeless piece...but there you go. To punish me for my derision of authority they have made me an authority. :D![]()
Now. SBOM....![]()
cool![]()
I think it's crucial...![]()
One of the real world problems is: Vulnerability inheritence![]()
Someone writes a vulnerable library and everyone uses it and no one knows where it is....if you think carefully about it you realise it's a problem both ways....![]()
Is @ericbyres on the chat?![]()
Yes!!!![]()
Like I want to deploy this Garretcom switch but how would I know it has GE vulns because it was whitelabelled?![]()
It works the other way too....who uses my software a decade after I wrote it? especially if it is open source....![]()
It's really hard to track all that, unless......SBOM![]()
One big problem that SBOM helps solve is the requirement to identify a software supplier - which is not a requriement in today's SW distributions![]()
That will help us against supply chain attacks too.![]()
I’ve found my software which I compiled 20y ago still being available for download :) (latest download 2021 june…) 🤣🤣🤣![]()
Agree. And will help sw customers verify the supplier and digital signature/signing party are legit.![]()
I confess though I am itching to use SBOM for something people don't expect.![]()
Though I don't know what yet...I was waiting for it to mature a bit and have data.![]()
Sorry for stupid question - What does SBOM stands for?![]()
Software Bill of Materials![]()
I use SBOM for corroborating evidence in a SW risk assessment; i.e. does the digital signature align with the supplier in the SBOM and the signing key on file for that supplier - very effective.![]()
And that's not a stupid question.![]()
So for example, we used NVD last year to forecast vulnerabilities![]()
https://arxiv.org/abs/2012.03814
Vulnerability Forecasting: In theory and practice
Why wait for zero-days when you could predict them in advance? It is possible to predict the volume of CVEs released in the NVD as much as a year in advance. This can be done within 3 percent of the actual value, and different predictive algorithms perform well at different lookahead values.
![]()
yes SBOM = Software Bill of Materials @Patrick C Miller![]()
Got it, thx @Patrick C Miller![]()
Under peer review still, but kind of cool work with lots of applications to ICS/OT networks![]()
Very poor signal/noise ratio when searching NIST NVD for vulns using SBOM data. Need alignment of SBOM data models and Vuln repositories.![]()
For example, if I can tell you AIX will get between 6-8 vulns next year, you can plan your forklift upgrades accordingly.![]()
@Dick Brooks and that will take a while...I wouldn't use it for Vulns necessarily.![]()
My point is just....I think SBOM will give us capabilities we never expected.![]()
What would you use to ID vulns in a proactive process, before installation?![]()
Oh, and while we're here: PYLONS ROCK!![]()
Interesting concept/approach @eireann.leverett. Forecasting the "vulnerability load" for software or even components (libraries, etc) based on history? Did I understand that correctly?![]()
Pylon Appreciation Society - Pylon Appreciation Society
Who are we and what do we do? "It's funny how many people accuse me of being mad or geeky - and then they send me photos or ask for more information!" It's simple: the Pylon Appreciation Society is a club for people who appreciate electricity pylons.
![]()
Yeah Patrick![]()
We found you could forecast vulnerabilities up to a year in advance![]()
That will help understand total cost of ownership of platforms.![]()
Hmmm interesting idea![]()
not exactly what vuln of course, but rouch counts for all software and for some specific vendors (60 or so)![]()
BingoHack Chat Transcript, Part 2 07/14/2021 at 20:31 • 0 comments
![]()
![]()
@primetimber Ture, Then when everything goes to hell, the board gets a new CEO who says that last guy was the worst and continues to do nothing. Think VW![]()
Where do you tend to see more security vulnerabilities - insecure devices, poor configuration/management, or both?![]()
It covers a crazy history of electrical systems, automotive safety, and medical safety.![]()
Would the benefits of airgapping outway the ease of maintenance and datatransfare? Or is it not possible for infrastructure to work like an island?![]()
Then goes on to regulatory and certification approaches.![]()
On the airgapping debate, Ronnie knows where I stand :D![]()
Though I guess it's worth repeating....![]()
Thx![]()
Always good to airgap but typically, hardly practical?![]()
Airgaps are mostly myths in practice. They seem easy to maintain and they're not. For example, how are you going to check any SSL/TLS certifitcate in an airgap?![]()
They are very very dangerous to the mind...too.![]()
How so?![]()
also, how would you get status accross an airgap?![]()
People get a false sense of security, I've seen that before![]()
CRL verification would be challenging![]()
Largely my "coming of age" story in this industry was older engineers telling me we didn't need software security practices because it was all airgapped.![]()
From the security perspective (aside from regulations and certifications), what are your thoughts about using cheap SBCs instead of high priced VPN routers (+ even more expensive "access servers") to connect dislocated PLCs to a central SCADA? As far as I saw, those "premium" devices mostly use OpenVPN which is a breeze to configure today (with a bit of fiddling with iptables).
So does it make sense to pay for those industrial routers today?
![]()
Then came 802.11![]()
What happens is that you do just 1 connection to the air gap with a network device that never gets updates or is ever looked at again![]()
I knew it wasn't true, and those airgaps were becoming an impediment to real improvements and innovations.![]()
So I set out to prove people wrong in 2010.#![]()
https://cyberics.github.io/News/news.html keeps track on what new vulnerabilties have been released![]()
https://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf
![]()
This is the result of that effort.![]()
I was kind of an angry hacker back then :D![]()
Is the document safe :p![]()
Imho - 100% airgap is not possible these days. But -> connecting OT to internet having sensitive devices accesible from anywhere…. That’s bad idea :) Anyway - airgap means can be achieved but it costs extra money (nuclear powerplants do have airgapped systems)![]()
Absolutely. The reaon it's a bad idea is because the vendors thought it was THE idea.![]()
An airgap for most people is no ethernet![]()
i'm afraid you still need to get data on and off the system. Ladder logic needs loaded on the PLCs somehow.![]()
What about tools like this one? https://firmwareiq.net/![]()
Today, they push software updates to jet fighters in flight, turns out air is a pretty good medium for communications.![]()
So I prefer people do better checking on inputs and outputs. Don't get me wrong if your airgap really is part of defense in depth cool...but if it's your only defence....I get cranky.![]()
even when I think a system is air-gapped, a technician decides to connect (say) our cooling water vendor to the SCADA network, which has a 4G connection to their engineers in another country.![]()
Firmeware verification is hot, and i like many companies doing it. Adolus is one of my favourites, but maybe just because Eric Byres inspired me with his myths and facts paper.![]()
@eireann.leverett yes, data exchange is very important nowadays, getting real time telemetry etc.. Systems needs to be segregated as much as it ia possible… yes, a bit more complex for operation. But we have to consider:![]()
what are other good defenses? I saw a bunch of allen bradley plc's in the picture for this chat. In my experience, they don't care much about security![]()
Someone mentioned Shodan, and I think at the EMF talk you listed a few places that _you_ had got in to with the help of Shodan?![]()
reliability, security and safety :)![]()
Yeah, I see the false sense of security, I think I only know one customer in Infrastructure who has a total airgap. The software is old & adapting the software is a hassle.![]()
How do Unidirectional Gateways fair in this picture?![]()
They could work well, but we needs some co-evolution with protocols to work well with them.![]()
Now, more generally, let's talk some books and success stories.![]()
http://industrial-landscape.com/#/home
INDUSTRIAL-LANDSCAPE
BRIAN HAYES![]()
Infrastructure: A Guide to the Industrial Landscape
Welcome to the world we've made for ourselves! Natural gas pumping station and storage tanks beneath the buttes of Red Rock State Park, near Gallup, New Mexico. A "trickling filter" at a sewage-treatment plant in Henderson, North Carolina. Making Sense of It All The ExxonMobil refinery at Chalmette, Louisiana, photographed from a ferry crossing the Mississippi.
Read this on Industrial-landscape
![]()
Eric/aDolus is one of the C-SCRM vendors that filed with FERC in support of SBOM's: https://elibrary.ferc.gov/eLibrary/filelist?document_id=14927761&optimized=false![]()
I loved this one...not security minded, but such a great how things work book.![]()
One chapter was about agriculture.![]()
Oh, man -- you really gave me book-envy when you suggested that book...![]()
100 years ago 99% of people would have been farmers. Today it's about 1%. How did that happen?![]()
Automation![]()
Can we do the same with other things, and then once we have, how do we secure it?![]()
We are lazy.![]()
Lol, best mathematician is a lazy one?![]()
Concrete factories are cool too....![]()
they are truly distrubuted infrastructure primarily because of how quickly concrete sets![]()
No sir, I mean naturally, human being is lazy so thinks how to improve things 8-)![]()
https://verveindustrial.com/resources/ics-advisory-report-thank-you/
ICS Advisory Report - Verve Industrial
Verve's mission is to help industrial clients ensure the security and reliability of their most critical assets: their industrial control systems. Verve Industrial brings over 25 years of ICS/OT experience or what is possible to bridge the IT OT challenges of securing these environments.
![]()
https://www.amazon.co.uk/s?k=the+knowledge
Amazon.co.uk : the knowledge
Select Your Cookie Preferences We use cookies and similar tools that are necessary to enable you to make purchases, to enhance your shopping experience, and provide our services, as detailed in our Cookie Notice. We also use these cookies to understand how customers use our services (for example, by measuring site visits) so we can make improvements.
![]()
(Sorry for typos, english is not my natural language)![]()
This one is fun too![]()
No worries![]()
It has one chapter on a guy who built a toaster from scratch![]()
mined the copper, moulded the plastic, wired the cable everything![]()
Thx for posting these articles :) will read it indeed![]()
My own book isn't muhc of a security book, it's more a risk and quantiative approach, but I wrote a chapter I'm proud of on vulnerabilities generally: https://www.google.co.uk/books/edition/Solving_Cyber_Risk/xn91DwAAQBAJ?hl=en&gbpv=1&pg=PA103&printsec=frontcover![]()
I do recommend Jake's book for SCADA security especially![]()
https://blackwells.co.uk/bookshop/product/9781498717076?gC=5a105e8b
Blocked IP Address due to Suspicious Activity
blackwell.online@blackwell.co.uk and provide the following information:The information you provide will be used to further our investigation. All attempts will be made to restore your access as quickly as possible. You are also advised to contact your service provider or IT Admin to report this issue. We apologise for any inconvenience this has caused.
![]()
Though there are many others too.![]()
LOL blocked IP address![]()
Irony![]()
Huh![]()
I think all security people in OT should read safety books like Erik's https://erikhollnagel.com/ideas/safety-i%20and%20safety-ii.html![]()
Regarding the toaster…. Friend of mine is attempting to build smartphone (although he is not going to mine gold and silicon 🤣🤣🤣)![]()
I have many more links and things to share, but I'll go back to questions for a bit :)![]()
https://www.plcacademy.com/ladder-logic-tutorial/
PLC Ladder Logic Programming Tutorial (Basics) | PLC Academy
One of the best visual programming languages is a PLC programming language called ladder logic or ladder diagram (LD). The great thing about ladder logic is that it's much more visual than most programming languages, so people often find it a lot easier to learn.
![]()
Ok, a little ladder logic tutorial wouldn't hurt :)![]()
@eireann.leverett do you think with "average" SCADA setups (in terms of focus on security) there is a common lack of focus on anything in particular? In other words, if you had to pick a thing or two, what do you think is the most typical low-hanging fruit of SCADA network security improvements?![]()
👍![]()
@Lord3nvy Switches and network equipment, and network monitoring.![]()
Secure your networking infrastructure first.![]()
http://oscada.org/ if you want to build a custom scada overview, its old but still works![]()
Do you see more vulnerabilities because of poor configuration/management or in devices (such as PLCs) themselves?![]()
One really interesting thing about realtime networks: to MITM often requires an attacker to operate under the real time constraints of the system itself.![]()
that's a brilliant constraint that defenders can use to their advantage![]()
Good point![]()
here's my talk on industrial ethernet switch security: ![]()
A bit of the offense side, but plenty of lessons for defender from firmware management and verification, to default credentials, to switch hardening![]()
Very cool - thank you! Network monitoring makes a lot of sense - I think it has a tendency to get pigeonholed into the "IT" world and sometimes doesn't get communicated to the boots on the ground, so to speak, when anomalies happen.![]()
So much of SCADA is protocols that work really well, but assume only trusted people have access, so focus on rejecting attacker access, and thus switches first, plcs, rtus, other equipment next, logging, and network monitoring.![]()
one other thing....OT/SCADA has engineers as standard employees. Literate, numerate, people. Ok, Numerate people. But seriously, they care about the system more than other users, and they think critically as engineers...we need to leverage that and not deride them as homers.![]()
Care to elaborate on the 'leverage' part?![]()
Name another environment where you can count on standard people within the org to have STEM degrees? If we can't explain security to them, we're communicating risk badly.![]()
@DM do mean leveraging the employees? Like how do we do it?![]()
Expand a little and I'll try to answer.![]()
Yes, you mentioned that engineers are critical thinkers and that we should leverage this. How best do we do this practically?![]()
Random link to one of my fave papers on CNI analysis![]()
https://ieeexplore.ieee.org/document/969131
Identifying, understanding, and analyzing critical infrastructure interdependencies
The notion that our nation's critical infrastructures are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies (so-called "cyberbased systems"), is more than an abstract, theoretical concept.
![]()
Regarding anomalies - does it make sense to focus on anomies down to protocol level (.101 or .104) or focus a bit more to hardening peers? I mean to create who is allowed to communicate and who’s not to each other, and just alert when anomaly happens?Hack Chat Transcript, Part 1 07/14/2021 at 20:27 • 0 comments
OK, let's get going. Welcome, one and all, and thanks for coming out today. I'm Dan and I'll be moderating today with Dusan as usual as we welcome Eireann Leverett to the Hack Chat to talk about SCADA Security. I've really been looking forward to this as infrastructure security has been much on my mind lately.
![]()
Hello everyone!![]()
Great workshop on ransomware hosted by NIST and NCCoE today - just ended; https://www.nccoe.nist.gov/events/virtual-workshop-preventing-and-recovering-ransomware-and-other-destructive-cyber-events![]()
Welcome Eireann, and please accept my apologies in advance for any fat-finger mistakes on your name![]()
It's not an easy type is it?![]()
So many vowels...Can you start us off with a brief intro?
![]()
Fun fact; Eireann is Irish for Irish.![]()
And diacriticals....![]()
indeed, though I never complain if people leave the fada out.![]()
(the accent)![]()
I know, I feel bad for not including those. But keeping up with the letters is tough enough for my fingers as it is.![]()
RE: Dan Maloney1:55 PM
Hey @JImmyMoe - doesn't ring a bell right off, but I know we've covered a ton of projects like that. I'll see if I can dig something up...
Thanks you so much Dan! I would so appreciate it.
Murph
![]()
So brief intro: I have been doing security since about 2005, with some enthusiasm for phones before. I think I got an early insight into SCADA or ICS security because I grew up for a time in Ohio.![]()
My grandparents owned a farm, and I spent summers there. There were many stories of burning rivers from industrial pollutiion.![]()
"The River Caught Fire": The Cuyahoga River Fire of 1969
A series of articles exploring historical events that provide an important lesson for ensuring a more sustainable and healthy environment. Originally published as a bulletin feature for the newsletter of CHE-WA (Collaborative on Health and the Environment, Washington State chapter); produced by Steven G. Gilbert. Oil spills and oil fires are nothing new.
Read this on Healthandenvironment
![]()
They even named a beer after it as I got older: Burning river pale ale.![]()
Good evening all![]()
Yeah, it wasn't a good period![]()
So my point is, at a very young age I had a sense that industrial systems could have big impacts.![]()
Hello all![]()
Hola amigos![]()
Like most people in my twenties I didn't know what I wanted to do. Eventually, after trying many jobs, i ended up studying AI and Software Engineering in Scotland. From there I worked for GE Energy on software that controled distribution grids. Mostly Energy, but some water too.![]()
That was my introduction to SCADA, and then I started doing vuln management and secure coding team building for them with my main hard hat hacker Colin Cassidy.![]()
are you still in electric ?![]()
No. Or rather not directly.![]()
From there I ended up going to Cambridge, and then penetration testing at IOActive.![]()
where does that sound familiar ioactive![]()
I returned to Cambridge to work on risk after 3 1/2 years of globetrotting with IOA. Colin is still with them, after leaving GE.![]()
At the time, it was hard to be a scada security person. IOActive had some of the finest, mostly ex Idao National Labs.![]()
Do you think full separation of environments (OT vs IT) can increase resillience against APT threats? (My answer would be No 8-) )![]()
Woo-hoo, Idaho!![]()
well dividing the evironments does make it somewhat more resilliant![]()
Back in the good ole days![]()
After pentester burnout I moved into risk to critical national infrastructure and general cyber risk at the Cambridge Centre for Risk Studies.![]()
Sup Ronnie!![]()
=) long time no talk sir!![]()
Congratulations on your seed!![]()
whew thanks! now all that's left is to execute![]()
Plenty of opportunity still in OT security as everyone can probably tell![]()
I still spend a little time at CCRS, but most of my time is spent in cyber insurance mathematics.![]()
I'l leave it there less I bore everyone.![]()
:D![]()
:lol![]()
I heard today the cyber insurers are bleeding badly - is it true?![]()
So that's me in a nutshell, a bit hacker, a bit engineer and safety, a bit maths and probability.![]()
Help me out: OT vs IT?![]()
Sure, a classic divide.![]()
It's basically work culture OT is operational technology and IT is well, eveyone knows that...the point being...![]()
2 totally different worlds![]()
OT - Operational Tech. (All the ICS, Scada and IoT world) to separate from “office IT world”![]()
In IT you are change fast, and in OT you want hardcore change management and safety checks.![]()
@toet exactly![]()
Any opinions on SBOM to share?![]()
So IT wants to patch everything as fast as possible and OT wants to avoid change until it's really well verified.![]()
But remarkably similar hardware and software? (Just different purposes)![]()
Ok, but aren't we really talking about Enterprise Security?![]()
Ah, operational. So, networks for the factory floor vs. "carpetland". Gotcha![]()
Sure, and my experience is we can get them to work together, when they understand each other.![]()
exactly that![]()
@Dick Brooks I can get there a little closer to the end. I'm a fan though. My thought is really how much more can we use it for.![]()
and that usually is a dayjob on its own![]()
True, but a lot of security is culture change. make them eat and drink together in each other's teams.![]()
@eireann.leverett happy to have that conversation![]()
There is a bit of this in my hobby (LinuxCNC) where we still support Ubuntu 10.04, because our users have working machines and don't want to risk that.![]()
My mother says "People don't know what they ain't been through."![]()
And sometimes, like with energy grids, the factory floor is basically as big as a continent![]()
Anyone Else Going to Tonights 920SEC meeting here in Green Bay Wi. ?![]()
So make 'em go through it and they suddenly have more capacity to understand each other.![]()
During Y2K I tracked the global status, then was hired to review the US Joint Chiefs' planning scenarios. Y2K required all systems to be checked. Is this that serious?![]()
Pain is a wonderful educator.![]()
If you don't mind, I want to make another general point.![]()
please![]()
Infrastructure is like feet. You don't think about them or care for them until they stop working.![]()
@JImmyMoe Yes we are. But these worlds are so different…. To apply ptch for vuln (like sudo fix from late 2019) means to update 200k devices across company and distributed geographically in OT -> guess how many could be updated? (Hope you guess pess than 10% :lol). That’s what OT world will struggle for years![]()
Hi Eireann, would you be able to provide some ideas on what the most difficult SCADA, ICS, OT security challenges currently are? Is it securing the devices themselves from physical and external remote attacks? Segregating the "SCADA" network from other areas of the organization? or something else entirely....![]()
@eireann.leverett epic truth :)![]()
my side its mostly segregation![]()
ruling out the flat network![]()
Great question, but also depends on how you like your difficulty served. Network Segmentation is really hard say cultorally and organisationally.![]()
and creating test enviroments (sort of digital twins)![]()
Securing applications is tough because we philosophically silo'd safety.![]()
So safety says we must X and security says we must Y and they don't integrate their thinking.![]()
Lots of legacy related risks in operations too.![]()
Much like OT and IT.![]()
Indeed, risk management is about prioritising yourself on the risk register.![]()
@RichardCollins At 90’s there were 20 desktops in the company but now you have apmost alm stuff equiped with laptop or smartphone and almost every PLC runs its own OS with shit load of vulnerabilities![]()
dont touch a working environment :D![]()
Guess what, most security folks didn't get into computers to do the economics of DDoS versus llightning storms.![]()
So we have trouble beating weather for risk prioritisaion. :D![]()
@toet lol exactly![]()
I also think protocols is REALLY hard.![]()
I don't think the biggest issue with SCADA security is what needs to be done. Its how do you get anyone to enforce best / any security practices. I'll leave out small municipalities because they are smaller targets. My experience with industrial scada installations is that unless forced, they won't upgrade a thing until its on fire. It's hard to even blame them. They drop 100,000 to millions on a setup that gives no upgrades unless they drop a bunch more.![]()
I used to have to keep 36 Computers in our 3 Classrooms for Architects and Engineers 3DS Max Training. I found it easier to keep up if I scheduled each of the 3 groups on a regular basis and or after each class had come to the end of their cycled training. Can't remember exactly what I had but it was something like 3 computers every other day which kept me sane! I was a One Man Show.![]()
from both a security and safety design POV, but also adoption.![]()
And I guess we can't always tie Y (what security says) back to a safety issue, to help emphasize the importance... though outages and potential destruction of the equipment are a huge problem, not seeming very likely.. gets back to how difficult it is to quantify cyber risk![]()
Getting bad in the western US, water rationing, soon people will have to decide how to use the precious water that is available: people, plants, electricity or fire fighting - not good![]()
@Bill S Completely fair, and we could talk security economics and regulation approaches across the globe.![]()
security implementation (what i experienced) needs a mandate from the plant operator he needs to push it![]()
FYI, I'll post a transcript of the chat right after we're done, in case anyone needs to refer back to links, etc.![]()
(plant operator) i mean ceo![]()
CEOs usually work in the "there is no glory in prevention" mode![]()
I hope people don't mind if i bombard the chat with some links and books.![]()
yes please![]()
Bombs away!![]()
On that regulation point, we wrote this for the European Union: https://www.conpolicy.de/en/news-detail/standardization-and-certification-of-the-internet-of-things/![]()
What’s you opinion on connecting OT devices directly to internet? (Take a look at shodan for high number of PLCs’ dorectly connected to internet)![]()
