Almost 300K Awarded For ICS 0day Exploits The ZDI team brought Pwn2Own to ICS with Pwn2Own Miami at S4x20. They awarded almost $300K to researchers who were able to find and exploit 0day vulnerabilities in important ICS applications. Applications such as HMI and EWS from Rockwell Automation and Schneider Electric, OPC UA, TMW’s DNP3 stack and more.…

An Interview with Corey Thuen of Gravwell. Dale and Corey discuss the value of a normalized, taxonomized approach to SIEM, which Dr. Anton Chuvakin has famously claimed is doom to fail. Corey is sympathetic to this view and tries to explain it to Dale. The alternative is gathering and creating a data lake with more log data and pcaps that can be us…

Eric Byres, CEO of aDolus and of Tofino fame, and I discuss the top three stories from December 2020 and give a Win, Fail and Prediction. https://traffic.libsyn.com/secure/unsolicitedresponse/21-1_December.mp3 Topics: The Solarwinds hack Dragos raising $110M in venture funding The minimal number and damage from cyber attacks on ICS in 2020 The post…

Jason Nations and I go over October’s top three stories plus our Win, Fail and Prediction of the month. https://traffic.libsyn.com/secure/unsolicitedresponse/2020-24_October.mp3 Top Stories 1. Six Sandworm attackers from Russia charged. Why was this done now and what does it accomplish? 2. More ICS vendors announced security services (ABB and Sieme…

The ICS Security Month in Review episodes cover two to three big stories from the month plus a win, a fail and a prediction. This month’s stories include: S4x21’s cancellation and S4x22 dates (7:01) Ransomware in ICS (12:30) SCIDMark and other ICS cyber incident databases (16:50) Is the Airgap myth still believed by asset owners? (21:51) Wins, Fail…

Detecting Triton Type Attacks In this episode I talk with Otis Alexander of MITRE about ATT&CK for ICS Evaluations. We begin with a discussion on ATT&CK and the ICS version of ATT&CK. If you are familiar with this, skip to 17:09 where we begin our discussion on the upcoming evaluations. https://traffic.libsyn.com/secure/unsolicitedresponse/20-22_AT…

Most of the OT Detection and Asset Management solutions have developed ‘integrations’ with SIEMs, with Splunk and QRadar being the most common. I put integrations in quotes because they did little more than push alerts and events to the SIEMs with little context. This all changed with Splunk announcing their OT Security Add-On last month. In this e…

We hear it all the time. OT is different than IT, and IT doesn’t understand OT. People argue about IT/OT convergence. In all these discussions I believe two things are true. OT doesn’t really understand IT, and the similar, but not identical, requirements that mission critical IT has. OT can actually learn a lot from IT. So I wanted to discuss this…