The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.
Attendees will gain a practical level of knowledge sufficient to keep them from appearing foolish should they choose to opine on any of the various real issues stemming from Industrial Control or SCADA systems. Attendees will also feel embarrassed for something they've said, empowered to call out charlatans, and much less worried about cyberhackers unleashing cyberattacks which cybercause cyberpipelines and cybermanufacturing plants to cybergonuts and cybertakeovertheplanet using cybercookiesofdeath.
Protecting Infrastructure from Cyber AttacksMaurice Dawson
The Department of Homeland Security (DHS) has become more concerned with cyber attacks on infrastructure such as supervisory control and data acquisition (SCADA) systems. An attack in Iran has proven that the landscape of cyber warfare is continually evolving. As the SCADA systems are the systems that autonomously monitor and adjust switching among other processes within critical infrastructures such as nuclear plants, and power grids DHS has become concerned about these systems as they are unmanned frequently and remotely accessed. A vulnerability such as remote access could allow anyone to take control of assets to critical infrastructure remotely. There has been increasing mandates, and directives to ensure any system deployed meets stringent requirements. As the Stuxnet worm has become a reality, future attacks could be malicious code directly targeting specific locations of critical infrastructure. This paper will address methods to protect infrastructure from cyber attacks using a hybrid of certification & accreditation (C&A) processes and information assurance (IA) controls.
Cyber Security Threats to Industrial Control SystemsDavid Spinks
Every day we are hearing in the media of potential Cyber Security threats to Critical National Infrastructure such as power grids, airlines and nuclear power stations. David has spent over 40 years working in the ICS environments. He was invited to speak in London at the British Computer Society cyber event these are the slides.
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
HAR2009 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
James Arlen and Tiffany Rad
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device’s transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server/jurisdiction-hopping platforms, or on social networking sites. Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
Notacon 7 - Hacking The Future Weaponizing The Next GenerationJames Arlen
Join this panel of experts who will discuss, debate, enlighten, and do battle on the topic of Hacker Parenting. From a multitude of viewpoints - paternal, maternal, fictive aunt and victim - the methodologies and techniques of applying the hacker mindset to parenting will be discussed. It is expected that the audience will participate as this topic is one on which everyone has an opinion. Maybe it's possible to do great work and develop a generation of people primed to hack the planet and take over.
Protecting Infrastructure from Cyber AttacksMaurice Dawson
The Department of Homeland Security (DHS) has become more concerned with cyber attacks on infrastructure such as supervisory control and data acquisition (SCADA) systems. An attack in Iran has proven that the landscape of cyber warfare is continually evolving. As the SCADA systems are the systems that autonomously monitor and adjust switching among other processes within critical infrastructures such as nuclear plants, and power grids DHS has become concerned about these systems as they are unmanned frequently and remotely accessed. A vulnerability such as remote access could allow anyone to take control of assets to critical infrastructure remotely. There has been increasing mandates, and directives to ensure any system deployed meets stringent requirements. As the Stuxnet worm has become a reality, future attacks could be malicious code directly targeting specific locations of critical infrastructure. This paper will address methods to protect infrastructure from cyber attacks using a hybrid of certification & accreditation (C&A) processes and information assurance (IA) controls.
Cyber Security Threats to Industrial Control SystemsDavid Spinks
Every day we are hearing in the media of potential Cyber Security threats to Critical National Infrastructure such as power grids, airlines and nuclear power stations. David has spent over 40 years working in the ICS environments. He was invited to speak in London at the British Computer Society cyber event these are the slides.
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
HAR2009 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
James Arlen and Tiffany Rad
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device’s transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server/jurisdiction-hopping platforms, or on social networking sites. Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
Notacon 7 - Hacking The Future Weaponizing The Next GenerationJames Arlen
Join this panel of experts who will discuss, debate, enlighten, and do battle on the topic of Hacker Parenting. From a multitude of viewpoints - paternal, maternal, fictive aunt and victim - the methodologies and techniques of applying the hacker mindset to parenting will be discussed. It is expected that the audience will participate as this topic is one on which everyone has an opinion. Maybe it's possible to do great work and develop a generation of people primed to hack the planet and take over.
BlackHat Europe 2010: SCADA and ICS for Security ExpertsJames Arlen
The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories.
Suddenly, every consultant is an expert and every product is loudly advertising how it solves SCADA SECURITY AND COMPLIANCY ISSUES!!!
And because they don't know what the hell they're talking about - 'fake it till ya make it' doesn't work - they're making all of us look stupid.
Let's sit down for a little fireside chat and discuss all things SCADA and ICS with an eye towards increasing our knowledge to the point where we can confidently say: "I'm not an expert at everything, I can help some, may we work together on a solution?"
It's time to stop being a Cyber Idiot and start being a positive contributor. Learn some truth, look behind the curtain, bust some FUD, Oh - and make government agents have kittens. That's fun for everyone.
Integrating the Alphabet Soup of StandardsJim Gilsinn
Presented @ 2014 ICS Cyber Security Conference
October 21, 2014
It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Presentation on findings of the annual survey of ICS Security professionals. Includes participant demographics, greatest ICS security threats, and security initiatives.
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
A hybrid Architecture is one of the easiest ways to securely address new application requirements and cloud-first development initiatives. This approach allows you to start small and expand as your requirements change while maintaining a strong security posture. In this session, you will learn the 5 key steps to building a hybrid architecture using the VM-Series next-generation firewall.
Speaker: Bisham Kishnani, Consulting Engineer (APJC) – DataCenter & Virtualization, Palo Alto Networks
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
Think Devlish act Angelic - Search Love 2012Wil Reynolds
Stop Chasing Algorithms Guys!!! Build a real business that does real stuff, real stuff attracts links.
From London & Boston 2012 SearchLove w/ Distilled.
BlackHat Europe 2010: SCADA and ICS for Security ExpertsJames Arlen
The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories.
Suddenly, every consultant is an expert and every product is loudly advertising how it solves SCADA SECURITY AND COMPLIANCY ISSUES!!!
And because they don't know what the hell they're talking about - 'fake it till ya make it' doesn't work - they're making all of us look stupid.
Let's sit down for a little fireside chat and discuss all things SCADA and ICS with an eye towards increasing our knowledge to the point where we can confidently say: "I'm not an expert at everything, I can help some, may we work together on a solution?"
It's time to stop being a Cyber Idiot and start being a positive contributor. Learn some truth, look behind the curtain, bust some FUD, Oh - and make government agents have kittens. That's fun for everyone.
Integrating the Alphabet Soup of StandardsJim Gilsinn
Presented @ 2014 ICS Cyber Security Conference
October 21, 2014
It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Presentation on findings of the annual survey of ICS Security professionals. Includes participant demographics, greatest ICS security threats, and security initiatives.
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
A hybrid Architecture is one of the easiest ways to securely address new application requirements and cloud-first development initiatives. This approach allows you to start small and expand as your requirements change while maintaining a strong security posture. In this session, you will learn the 5 key steps to building a hybrid architecture using the VM-Series next-generation firewall.
Speaker: Bisham Kishnani, Consulting Engineer (APJC) – DataCenter & Virtualization, Palo Alto Networks
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
Think Devlish act Angelic - Search Love 2012Wil Reynolds
Stop Chasing Algorithms Guys!!! Build a real business that does real stuff, real stuff attracts links.
From London & Boston 2012 SearchLove w/ Distilled.
Cutting edge overview of the best mobile campaigns, new interfaces, mobile, mHealth, Quantified Self, Singularity, Singularity University and the broader DIY (do-it-yourself) movement across the world transforming all vertical markets, sectors and companies. From closed, top down and central systems towards open, bottom up and decentralized systems. From scarcity to abundance.
This talk by Chris Grayson contains lots of information about how to enter the so-called "hackerspace." From mental approaches to books, movies, and other media to online courses and knowledge repositories, this presentation is intended to be the one-stop-shop for anyone trying to become a penetration tester.
Examples of (bad) consequences of a lack of software quality and some solutions. This presentation presents some examples of (bad) consequences of a lack of software quality, in particular how poor software quality led to the direct deaths of 89 people. It then provides some background on software quality, especially the concept of Quality Without a Name. It then discusses many principles, their usefulness, and their positive consequences on software quality. Some of these principles are well-known in object-oriented programming while many others are taken from the book 97 Programmers. They include: abstraction, encapsulation, inheritance, types, polymorphism, SOLID, GRASP, YAGNI, KISS, DRY, Do Not Reinvent the Wheel, Law of Demeter, Beware of Assumptions, Deletable Code, coding with reason, and functional programming. They pertain to dependencies, domains, and tools.
(In details: Beautify is Simplicity, The Boy Scout Rule, You Gotta Care About the Code, The Longevity of Interim Solutions, Beware the Share, Encapsulate Behaviour not Just State, Single Responsibility Principle, WET Dilutes Performance Bottlenecks, Convenience Is Not an -ility, Code in the Language of the Domain, Comment Only What the Code Cannot Say, Distinguish Business Exception from Technical, Prefer Domain-specific Types to Primitive Types, Automate Your Coding Standards, Code Layout Matters, Before You Refactor, Improve Code by Removing It, Put the Mouse Down and Step Away from the Keyboard)
Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.
by Stefano Maraspin - Tutti conoscono "Non farmi pensare" di Steve Krug. L'autore sostiene che l'aspetto più importante dal punto di vista dell'usabilità sia l'immediatezza dell'interfaccia. Leggendolo mi è sorto un dubbio: "ma se gli utenti non devono pensare, vuol dire che il loro comportamento sarà irrazionale e impredicibile?". Ho così cominciato un percorso di ricerca sulle motivazioni che spingono l'utente ad intraprendere un'azione piuttosto che ad astenersi dalla stessa. In questo talk condivido quanto ho avuto modo di imparare attraverso le fonti scientifiche, ma soprattutto nei progetti su cui ho lavorato
David Mortman CSO in Residence, Echelon One
Rich Mogull Securosis
Dave Maynor Founder & CTO Errata Security
Larry Pesce Pauldotcom.com
Robert "RSnake" Hansen ha.ckers.org
James "Myrcurial" Arlen
We're baaaack. Yup that's right, some of the biggest mouths in Information Security and once again, we will show you all new of security FAIL. Our panelists will demonstrate innovative hacking techniques in naked wireless networking, GPS, intranet routing, web based applications and goats.
SecTor 2009 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
James Arlen and Tiffany Strauchs Rad
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device’s transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server/jurisdiction-hopping platforms, or on social networking sites. Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
Black Hat To A Notacon 6 - Black Suit: Econopocalypse NowJames Arlen
You want it all. But you're scared. You don't want to put on a suit and watch your soul shrivel. There is another way.
In this session, you will learn: - why you want to do this to yourself - how to get the first job (which will suck) - how to turn the first job into the next job (while still having fun) - how to get the top job (sooner than you thought you could) - and how to do it all without feeling like a corporate whore.
You want to hack the planet? You've got to start somewhere.
Now with new information on why the suffering economy is good news for you!!!
SecTor 2008 - Security Heretic: We're Doing It WrongJames Arlen
Security Heretic: We're Doing It Wrong - James Arlen
Information and Computer Security is a multi-million dollar business. I am part of that business. And it's wrong. An industry that was started with the highest of ideals, the most pure of motives has deteriorated into a crass, commercial race-to-the-bottom. Or at least it feels that way most of the time. In this presentation, a security heretic will outline a very personal journey through the meat-grinder of the information security industry and will ask you to join in this interactive discussion and walk through some critical self-analysis, some harsh criticism, some ludicrous stories, and hopefully exact the answers you need as you work through your own crises of faith in your career in Information and Computer Security.
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
James Arlen and Tiffany Rad
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device's transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server platforms, or on social networking sites.
Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
BlackHat USA 2009 - Your Mind: Legal Status, Rights and Protecting YourselfJames Arlen
James Arlen and Tiffany Rad
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device's transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server platforms, or on social networking sites.
Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
The Last HOPE - Black Hat To A Black SuitJames Arlen
You want it all. You can see the brass ring and you want to jump for it. But you're scared. You don't want to put on a suit and watch your soul shrivel like the spot price on RAM. There is another way. In this session, you will learn: why you want to do this to yourself, how to get the first job (which will suck), how to turn the first job into the next job (while still having fun), how to get the top job (sooner than you thought you could), and how to do it all without feeling like a corporate whore. You want to hack the planet? You've got to start somewhere.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
National Security Agency - NSA mobile device best practices
Notacon 7 - SCADA and ICS for Security Experts
1. SCADA and ICS for
Security Experts:
How to Avoid Cyberdouchery
James Arlen, CISA
Notacon 7 - Cleveland - 2010
1
2. Disclaimer
I am employed in the Infosec industry,
but not authorized to speak on behalf
of my employer or clients.
Everything I say can be blamed on
great food, mind-control and jet lag.
2
3. Credentials
15+ years information security specialist
staff operations, consultant, auditor, researcher
utilities vertical (grid operations, generation,
distribution)
financial vertical (banks, trust companies,
trading)
some hacker related stuff like game show host,
etc.
3
119. Credits, Links and
Notices
http://myrcurial.com and
Me: http://cyberdouchery.com
and sometimes http://
liquidmatrix.org/blog
All of you, My Family, Friends, Jeff
Moss (for demanding this talk)
Kaospunk, Froggy, Tyger and the
Thanks: Notacon Awesome Team.
Mentors/Luminaries: D. Anderson, M. Fabro, J.
Brodsky, R. Southworth, M. Sachs, C. Jager, B.
Radvanovsky and J. Weiss (all from whom I
twitter, fast music, caffeine, my lovely
borrowed material)
Inspirati
wife and hackerish children, blinky
on:
lights, shiny things, modafinil &
altruism.
http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ 116
This ISN’T a talk about SCADA so much as it is a talk about TALKING ABOUT SCADA.
[twitter]http://myrcurial.com/N7/SCADA-N7.004.png[/twitter]
Around 2005, and almost all of a sudden, the infosec industry noticed SCADA. And immediately started identifying it as a market.
[twitter]http://myrcurial.com/N7/SCADA-N7.005.png[/twitter]
Of course, the simplest explanation is always the most likely. In this case, it was all about the money - there were regulators starting to breathe heavily (NERC 1200, ISA99)
[twitter]http://myrcurial.com/N7/SCADA-N7.006.png[/twitter]
And because a packet is a packet is a packet, there were suddenly a million security experts who were also scada experts. Let’s not even get started on the four letter security religion people and how they jumped on this one.
[twitter]http://myrcurial.com/N7/SCADA-N7.007.png[/twitter]
At this point, I was working in control systems security -- electricity in particular and as much as I could, I spent as much free time as possible pointing out these flawed responses to a very real problem.
[twitter]http://myrcurial.com/N7/SCADA-N7.008.png[/twitter]
And then the swarm of consultants and infosec dudes and even a few dudettes showed up and started telling me everything they “knew” about control systems security.
[twitter]http://myrcurial.com/N7/SCADA-N7.009.png[/twitter]
They tied a nice little bow on my problems, and told me they could fix it - just a few blinky lights and a few more shiny things and I was going to be fine.
[twitter]http://myrcurial.com/N7/SCADA-N7.010.png[/twitter]
I told you we were going to talk ABOUT SCADA systems. Here’s the short form. LANGUAGE is important - specificity is something that engineers really enjoy. They’re kind of like car people -- and our industry has been using words like “synchro-mesh transmission” to describe “derrailluer”
[twitter]http://myrcurial.com/N7/SCADA-N7.011.png[/twitter]
Between the experts pontificating and the media eating it up, well.
[twitter] http://myrcurial.com/N7/SCADA-N7.012.png[/twitter]
HIghly distributed systems used to control geographically dispersed assets (water supply systems, oil and gas pipelines, electrical powergrids, railways, etc.
[twitter]http://myrcurial.com/N7/SCADA-N7.013.png[/twitter]
HIghly distributed systems used to control geographically dispersed assets (water supply systems, oil and gas pipelines, electrical powergrids, railways, etc.)
[twitter] http://myrcurial.com/N7/SCADA-N7.014.png[/twitter]
Used where centralized data acquisition and control are critical or practical to overall system operation
[twitter] http://myrcurial.com/N7/SCADA-N7.015.png[/twitter]
Used where centralized data acquisition and control are critical or practical to overall system operation
[twitter] http://myrcurial.com/N7/SCADA-N7.016.png[/twitter]
When you’re talking about LARGE systems that are GEOGRAPHICALLY distributed and used for huge control undertakings like this... that’s scada.
[twitter] http://myrcurial.com/N7/SCADA-N7.017.png[/twitter]
Control Systems (CS) are used to control manufacturing processessuch as electric
power generation, oil and gas refineries, and chemical, food, and automotive
production.
[twitter] http://myrcurial.com/N7/SCADA-N7.018.png[/twitter]
Control Systems (CS) are used to control manufacturing processessuch as electric
power generation, oil and gas refineries, and chemical, food, and automotive
production.
[twitter] http://myrcurial.com/N7/SCADA-N7.019.png[/twitter]
Control Systems (CS) are used to control manufacturing processessuch as electric
power generation, oil and gas refineries, and chemical, food, and automotive
production.
[twitter] http://myrcurial.com/N7/SCADA-N7.020.png[/twitter]
Control Systems (CS) are used to control manufacturing processessuch as electric
power generation, oil and gas refineries, and chemical, food, and automotive
production.
[twitter]http://myrcurial.com/N7/SCADA-N7.021.png[/twitter]
Control Systems (CS) are used to control manufacturing processessuch as electric
power generation, oil and gas refineries, and chemical, food, and automotive
production.
[twitter] http://myrcurial.com/N7/SCADA-N7.022.png[/twitter]
Control Systems (CS) are used to control manufacturing processessuch as electric
power generation, oil and gas refineries, and chemical, food, and automotive
production.
[twitter] http://myrcurial.com/N7/SCADA-N7.023.png[/twitter]
CSare integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated sub-systems that are responsible for controlling the details of a localized manufacturing process
[twitter] http://myrcurial.com/N7/SCADA-N7.024.png[/twitter]
Usually found in a designated critical infrastructure sector, a control system is a
collection of devices or components working together for a common process, controlled by
a master entity that can direct, regulate, and refine the behavior of those devices or
components through observations and commands.
[twitter] http://myrcurial.com/N7/SCADA-N7.025.png[/twitter]
Usually found in a designated critical infrastructure sector, a control system is a
collection of devices or components working together for a common process, controlled by
a master entity that can direct, regulate, and refine the behavior of those devices or
components through observations and commands.
[twitter] http://myrcurial.com/N7/SCADA-N7.027.png[/twitter]
These smaller and “contained” entities are the control systems -- they are generally PROCESS oriented. And we need to talk about them as separate entities. THERE ARE WAY MORE OF THESE THAN THERE ARE SCADA SYSTEMS.
[twitter] http://myrcurial.com/N7/SCADA-N7.028.png[/twitter]
This is the problem -- more than anything -- this incredible lack of understanding.
[twitter] http://myrcurial.com/N7/SCADA-N7.029.png[/twitter]
It doesn’t matter here whether we’re talking about SCADA or Control Systems... The computers are NOT that which is controlled - - And just like in so many other aspects of infosec - they are NOT the reason that YOU are involved.
[twitter] http://myrcurial.com/N7/SCADA-N7.030.png[/twitter]
“What happens when Edna falls into the reactant vessel” -- Just as you’d expect. The system STOPS. This is EXACTLY what happens when the computer breaks.
[twitter] http://myrcurial.com/N7/SCADA-N7.031.png[/twitter]
[twitter] http://myrcurial.com/N7/SCADA-N7.032.png[/twitter]
Protocols (partial list)
E/IP
DH+
ProfiBus
ANSI X3.28
BBC 7200
CDC Types 1 and 2
Conitel 2020/2000/3000
DCP 1
DNP 3.0
Gedac 7020
ICCP
Landis & Gyr
8979
OPC
ControlNet
Tejas 3 and 5
Modbus
TRW 9550
UCA
[twitter] http://myrcurial.com/N7/SCADA-N7.033.png[/twitter]
Protocols (partial list)
E/IP
DH+
ProfiBus
ANSI X3.28
BBC 7200
CDC Types 1 and 2
Conitel 2020/2000/3000
DCP 1
DNP 3.0
Gedac 7020
ICCP
Landis & Gyr
8979
OPC
ControlNet
Tejas 3 and 5
Modbus
TRW 9550
UCA
[twitter] http://myrcurial.com/N7/SCADA-N7.034.png[/twitter]
Mapping from the data to the process is HARD. There’s hours/days/weeks/months/YEARS of programming effort there. The protocol bitstream is just that -- a bitstream.
[twitter] http://myrcurial.com/N7/SCADA-N7.035.png[/twitter]
How do you know which device does what?
You need to find or see the mapping... not just the raw protocol data. One without the other isn’t terribly useful. Oh, I’m not kidding myself - there are some SERIOUS rockstar protocol reverse engineers out there. There are even some process reverse engineers. In all likelihood, you can BREAK the computer, but can you MAKE the computer do your bidding?
[twitter] http://myrcurial.com/N7/SCADA-N7.036.png[/twitter]
And guess what - you’re in a position to break part of it.... can you break all of the additional controls that have been emplaced? ALL OF THEM?
[twitter] http://myrcurial.com/N7/SCADA-N7.037.png[/twitter]
There’s a whole additional system under local control THAT IS NOT PART OF THE SCADA OR ICS/DCS system which keep equipment from going all Skynet/Terminator
[twitter] http://myrcurial.com/N7/SCADA-N7.039.png[/twitter]
So say that you manage to screw up the process -- the batch you were messing with... it hits the garbage pretty hard.
[twitter] http://myrcurial.com/N7/SCADA-N7.041.png[/twitter]
Because the organization cares enough to ensure that it only sends the right product out the door.
[twitter] http://myrcurial.com/N7/SCADA-N7.042.png[/twitter]
The most interesting part is that NONE of these systems are actually autonomous - they are all predicated upon having a human element - an operator, a controller, an organic mental component...
[twitter] http://myrcurial.com/N7/SCADA-N7.043.png[/twitter]
Partly because of liability issues and partly because Bags of Mostly Water are still much better at in-situ problem solving than any of the future silicon masters currently are.
[twitter] http://myrcurial.com/N7/SCADA-N7.044.png[/twitter]
Alright. So you’re a super-hacker. YOU busted the SCADA system. You pwnd them good.
[twitter] http://myrcurial.com/N7/SCADA-N7.045.png[/twitter]
Well... here’s the thing. They plan for that to happen. Most systems can handle two simultaneous failures without skipping a beat.
[twitter] http://myrcurial.com/N7/SCADA-N7.046.png[/twitter]
Because we’re sorta used to it.
[twitter] http://myrcurial.com/N7/SCADA-N7.047.png[/twitter]
Wires come down, and they get repaired.
[twitter] http://myrcurial.com/N7/SCADA-N7.048.png[/twitter]
pipelines break for all kinds of reasons - and they get repaired.
[twitter] http://myrcurial.com/N7/SCADA-N7.049.png[/twitter]
And nine hundred and ninety nine times out of a hundred... well, more like 99,999 out of 100,000.... you don’t feel it at all.
[twitter] http://myrcurial.com/N7/SCADA-N7.050.png[/twitter]
You’ve still got a cozy little house.
[twitter] http://myrcurial.com/N7/SCADA-N7.051.png[/twitter]
No one is wandering the streets looking for flesh to feed on.
[twitter] http://myrcurial.com/N7/SCADA-N7.052.png[/twitter]
Yup, under very controlled circumstances, with some modest efforts, and a known target surface (relatively turn key systems -- little to no customization) it is possible to make things go BANG. Suggesting that your garden variety NOTACON or DEFCON type hacker can achieve this in an afternoon is... well. Crap.
[twitter] http://myrcurial.com/N7/SCADA-N7.054.png[/twitter]
Make sure to go all kind of drifty -- notice SOMETHING in the audience and kinda “Snap” for the next slide.
[twitter] http://myrcurial.com/N7/SCADA-N7.055.png[/twitter]
All of you are perfectly smart. You’ve just got to pay attention and focus and HEY, SQUIRREL!!!!
[twitter] http://myrcurial.com/N7/SCADA-N7.056.png[/twitter]
Since you’ve solved all of your organizations security problems, you’ve got time.
[twitter] http://myrcurial.com/N7/SCADA-N7.057.png[/twitter]
Between the warring factions of business/asset owners, traditional IT departments and control systems IT departments...
[twitter] http://myrcurial.com/N7/SCADA-N7.058.png[/twitter]
But. Remember, you’re not the expert. Suck it the heck up. Buy some people some coffee.
[twitter] http://myrcurial.com/N7/SCADA-N7.059.png[/twitter]
EVEN though it feels disingenuous, become the student first, the teacher later.
[twitter] http://myrcurial.com/N7/SCADA-N7.060.png[/twitter]
Show a willingness to be the friend, the person who UNDERSTANDS that everyone is a unique and special person.
[twitter] http://myrcurial.com/N7/SCADA-N7.061.png[/twitter]
Ok. Here’s some things that I’ve discovered in my time as a control systems security dude.
[twitter] http://myrcurial.com/N7/SCADA-N7.062.png[/twitter]
Unions. Really. Woodshed talks down on the loading dock.
[twitter] http://myrcurial.com/N7/SCADA-N7.063.png[/twitter]
Hey, we’re in infosec, we all think we’re rock stars... right?
[twitter] http://myrcurial.com/N7/SCADA-N7.064.png[/twitter]
The VAST majority of the people that I’ve met in the control systems world would be perfectly happy with good ole 8-bit computers that knew their place in the world. You ARE the age of their kids, and therefore, you are a kid.
[twitter] http://myrcurial.com/N7/SCADA-N7.065.png[/twitter]
Yeah, you know you wanna.
[twitter] http://myrcurial.com/N7/SCADA-N7.066.png[/twitter]
UNDERSTAND the organization -- what the moving pieces are... look outside the IT department... shadow a few of the “workers” -- it’s a system like any other. Get all “Mitnick-y”
[twitter] http://myrcurial.com/N7/SCADA-N7.067.png[/twitter]
the doors begin to open... you’re starting to get things done.
[twitter] http://myrcurial.com/N7/SCADA-N7.068.png[/twitter]
Because hey... you can learn anything fast -- you’re an infosec rockstar. Make THEM change to suit the needs of the almighty altrusim -- KTLO, hold the Zombies at bay.
[twitter] http://myrcurial.com/N7/SCADA-N7.069.png[/twitter]
Just for review... because, believe it or not... you need to TEAR DOWN each of these preconceptions before you can build up what the glory of a real console feels like.
[twitter] http://myrcurial.com/N7/SCADA-N7.070.png[/twitter]
And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
[twitter] http://myrcurial.com/N7/SCADA-N7.071.png[/twitter]
And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
[twitter] http://myrcurial.com/N7/SCADA-N7.072.png[/twitter]
And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
[twitter] http://myrcurial.com/N7/SCADA-N7.073.png[/twitter]
And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
[twitter] http://myrcurial.com/N7/SCADA-N7.074.png[/twitter]
And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
[twitter] http://myrcurial.com/N7/SCADA-N7.075.png[/twitter]
And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
[twitter] http://myrcurial.com/N7/SCADA-N7.076.png[/twitter]
And actually, that’s the problem -- infosec people are fixated on the protocol and ignore the user interface.
[twitter] http://myrcurial.com/N7/SCADA-N7.077.png[/twitter]
Of course, you can have all different kinds of user interfaces...
[twitter] http://myrcurial.com/N7/SCADA-N7.078.png[/twitter]
And since you’ve got nothing but time... you’ve reviewed all of the log files...
[twitter] http://myrcurial.com/N7/SCADA-N7.079.png[/twitter]
And you’re just tired of doing the same ole same ole.... AND YOU”RE LOOKING IN THE WRONG PLACE FOR THE WEIRDNESS. Your effectiveness is in the toilet. Get your shit together.
[twitter] http://myrcurial.com/N7/SCADA-N7.080.png[/twitter]
And they just love trotting out these stories... kinda like the local news stations... “EXCESS DI-HYDROGEN OXIDE CAN KILL YOU... AND IT”S EVERYWHERE!!!!!!! MORE NEWS TONIGHT AT ELEVEN ON ACTION ONE NEWS!!!!!!!!”
[twitter] http://myrcurial.com/N7/SCADA-N7.087.png[/twitter]
Of course none of the 14 year olds I know (or was) are interested in world domination. They’re hormonally driven.
[twitter] http://myrcurial.com/N7/SCADA-N7.088.png[/twitter]
The conservatives want you to think of evil brown people.
[twitter] http://myrcurial.com/N7/SCADA-N7.089.png[/twitter]
But really, it’s middle aged white guys that are the hackers --- so easy a white guy can do it.
[twitter] http://myrcurial.com/N7/SCADA-N7.090.png[/twitter]
This story in the news Wednesday -- Booz Allen Hamilton is being paid has now landed the contract to build the Air Force’s cyberwar control center. For a measly $14.4 million in taxpayer money, the outfit will help build a new cyberwar bunker for the U.S. Cyber Command, a wing of the Air Force.
Additionally, Booz Allen Hamilton won another contract for $20 million to “foster collaboration among telecommunications researchers, University of Maryland faculty members and other academic institutions to improve secure networking and telecommunications and boost information assurance,” Washington Technology reports. While that might sound like a lot of money to set up a mailing list and a wiki, please don’t be cynical. Undoubtedly, McConnell’s crack team of consultants are providing the researchers with around-the-clock bodyguards and state-of-the-art bullet-proof monitors.
[twitter][/twitter]
Of course, this is what we’re all APT fraid of.
[twitter][/twitter]
And it’s right up near this as likely.
[twitter][/twitter]
And well... you know the internet is out to get you.
[twitter][/twitter]
[twitter][/twitter]
[twitter][/twitter]
Lack of security policy specific for control domain
• SCADA network separated only by VLANs and
rudimentary ACLs
• No change management policy
• Physical security policy richly enforced (but OPSEC
does not accommodate for access past defences)
• No Security Agreement (SA) with vendor, no SA
with contractors
Vendor default accounts and passwords have not been
changed
• Guest accounts still available
• No mechanism for schedule in place for
updates/upgrades
Primary HMIs do not require
username/password to get control
• HMIs may be secured physically but not
electronically
• VNC enabled EWS
LOTS of “shared” networks... internet access from HMI stations
Internet access TO HMI stations
“Run your process from your blackberry!”
Absence of testing of core OS
– Standard SCADA builds are rare (unused SW remains on systems)
– No testing in place for remaining applications
• Many insecure applications within key control servers
– To aid in operator boredom
– To aid in operator net access
– To aid in data manipulation
• Assessments discovered rogue applications trying to call
home
– Hostile ICMP payloads
– Covert channel over DNS
Vendor access (direct via VPN) into control network
• Access to main switch is by unsecured telnet, and main
switch gives all access to all comms
– Switches use default access credentials
– Traffic is not filtered by port (i.e. port filtering is not enabled
• No encryption or authentication on the control network
• Dynamic ARP is used with no ARP monitoring
• Firewalls have some interesting rules, sometimes very
simple:
# $fwadd-rule "allow udpfrom _any_ to _any_ 0-65535"
# $fwadd-rule "allow tcpfrom _any_ to _any_0-65535"
Vendor provides turnkey solution in each
customer location
• Commonality among deployments
–Same remote access mechanism
–Same username/password
–Same technology (brand, device, etc.)
–Same addressing schema
–Same vulnerabilities
PLCs unknowingly have embedded web
servers
• PLCs have embedded webserver enabled
• Data used as a significant step in
enumeration
• Compromised embedded servers allow
attacker to gain highest trust level
Basic flaws in programming can be
discovered and leveraged
• Vendors (proprietary) are very vulnerable
Least privilege
Least privilege
Buffer overflows
Buffer overflows (stack and
(stack and
heap)
heap)
Setuid
Setuiderrors
errors
Race conditions
Race conditions
Poor cryptography
Poor cryptography
Hard coded IP space
Hard coded IP space
RPC/DCOM
Telnet
Telnet
GUI
GUI
Password use/storage
Password use/storage
File Access
File Access
X
X-
-windows
windows
rsh
rsh(instead of
(instead of ssh
ssh)
)
sprintf
sprintf /
/ strcpy
strcpy
Accept all multicastRPC/DCOM Accept all multicast
Really. All of that stuff is real, seen it with my own eyes.
[twitter][/twitter]
Of course.
[twitter][/twitter]
[twitter][/twitter]
If we had any real “lateral thinkers” in the mix...
[twitter][/twitter]
But none of this is rocket science. In many repects, the control systems industry is living in the past - following the minimums of a modern hardening guideline would be good -- even though you’d likely seriously break the thing you were trying to fix.
[twitter][/twitter]
it’s just SUCK.
[twitter][/twitter]
And the machines only do as well as their masters.
[twitter][/twitter]
And the industry cannot seem to keep up with it’s own awesome. You can operate an HMI from your blackberry, and at the same time, they can’t fix the basics.
[twitter][/twitter]
[twitter][/twitter]
I cannot stress this point enough. become an infovore - consume knowledge - RTFM
[twitter][/twitter]
Generally speaking, someone who says they are an expert REALLY isn’t. Especially if they are really REALLY proud of being an expert.
[twitter][/twitter]
Project timelines are REALLY long, make little changes at the beginning.
[twitter][/twitter]
[twitter][/twitter]
[twitter][/twitter]
People who are putting themselves ‘out there’ as the mouthpieces... even the ones with actualy (albeit aged) cred... if your bullshit meter is going off, make sure other people know that. It’s on YOU to help catch and ?persecute? the charlatans out of out bidness. Call a Cyberdouche a Cyberdouche.
[twitter][/twitter]
You are not Zero Cool, Neo, The Plague, QQQQ John Travolta’s character, or any other uber 733t dude-ette. Impress with persuasion and humility rather than wearing your bravado and hackerdouchery. Also, shameless self-promotion -- please see my previous talk on the subject.
be the water drops. add requirements to the procurement process -- boil the frog. Also -- get to know your procurement people -- make friends EVERYWHERE.
[twitter][/twitter]
The overwhelming, vast, unbelievably dense history that we have as an industry is rich with comparable situations, problems found and solved, learn from them...
[twitter][/twitter]
Once upon a time, computers did what they were supposed to do. Help us to get there again.
[twitter][/twitter]
Thank you all so much for listening to me rant, I’m here for the rest of the day and tomorrow. Ask me anything and I’ll try to answer.
[twitter][/twitter]
Dave Anderson, Mark Fabro, Jake Brodsky, Ron Southworth, Marcus Sachs, Chris Jager, Bob Radvanovsky and Joe Weiss
[twitter][/twitter]