Friday, February 5, 2016

Experts compete to find Ukraine grid hack 'smoking gun'

Following article has been re-published with the permission of Energy Wire 
(original text available at

Experts compete to find Ukraine grid hack 'smoking gun'Blake Blake Sobczak, E&E reporter
Published: Monday, February 1, 2016

A six-hour blackout in western Ukraine has continued to puzzle investigators weeks after the lights came back on.

The Dec. 23 power outage in Ukraine's Ivano-Frankivsk region was minor by most standards, severing electricity to 80,000 households. Half a world away, windstorms were busy knocking out power to more than twice as many utility customers in northern Michigan.

But Ukraine's outage that day resulted from a complex attack combining malware, a flood of telephone calls and, perhaps, a few unwitting accomplices in grid control centers.

Ukrainian officials are dissecting the BlackEnergy strain of malware found to have infected energy, media and government organizations across the country. Authorities haven't yet offered a detailed account of Dec. 23's events, so security researchers have pieced together their own -- sometimes competing -- versions of what happened.

Friday, January 16, 2015

A unique opportunity to learn both ICS implementation and cyber security skills is now available !!!

The interest in the intense, immersion 10-day program on ICS implementation and security has been overwhelming. This course is not currently scheduled for public offerings. However ... Joel Langill (founder of has joined forces with leading system integrator Lin & Associates of Phoenix, Arizona to offer a unique opportunity to learn the basics of ICS configuration and operation, in a public 3-day workshop scheduled for March 3-5 (optional 1-day ICS workshops available on March 6). These 4-days provide both lecture and hands-on modules, and provide an opportunity for attendees to get "up close and personal" with the systems really used to control critical infrasturture. No virtual PLCs, Raspberry PI, or "toy" SCADA equipment - real ICS equipment used at the heart of the industrial automation and control industry.

Thursday, July 10, 2014

Cyber Espionage Campaign Hits Energy Companies

Over the past couple of weeks, cybersecurity vendors have announced the uncovering of a successful cyber espionage campaign carried out by the Dragonfy hacking group. In the most recent string of attacks, Dragonfly (also referred to by the name Energetic Bear) has targeted multiple US and European energy companies, successfully looting valuable process information in what appears to be the next step in the cyber warfare campaign against critical infrastructure organizations, after Stuxnet in 2010. Cybersecurity vendors have scrutinized the campaign and presented an analysis of the malware employed by Dragonfy to steal information from the infected computers.

Yesterday, a short paper I co-authored with Security Matters was released. This short paper revisits the main points of this investigation, including additional details into the specifics of the components of the campaign that exploit industrial control systems. This paper also illustrates why the implementation of a defense-in-depth (DiD) strategy is key to successfully counter cyberthreats like Dragonfly. One of the key aspects of improved DiD involves improving situation awareness within industrial architectures. SilentDefense ICS is one key element in the overall process of gaining insight into your ICS architectures allowing early detection and rapid mitigation of cyber threats.

A complete copy of the paper is available by clicking here.

I am currently actively engaged in research of the campaign and the malware employed. In the coming weeks, I will also be releasing another paper that will discuss in details the overall campaign, how the various pieces of the attack are being deployed, and how they are being used against companies relating to industrial automation and control. Stay tuned to and follow watch my Twitter feed for additional release details.

Tuesday, July 1, 2014

DragonFly/Havex Resource Page Now Available on

Today, I am happy to announce the launch of a new page on devoted to provided timely and relevant information relating to the Dragonfly/Havex campaign. Like resource pages developed in the past for Stuxnet and Duqu, this page will provide a one-stop location for key resources pertaining to industrial control systems as used in this campaign, including Technical Reports, White Papers, ICS-CERT Advisories and Alerts, Press Reports, and other pertinent information.

The site will also include a dynamic Twitter feed tracking related posts utilizing hashtags #havex, #dragonfly, and #energeticbear.

If there is anything that you find that could be of use to the general community, please feel free to share this by sending me an email.

Dragonfly/Havex Resource Page on

Monday, May 5, 2014

Presentation for upcoming ICSJWG "Can you hear me now? Standing up a Security Event Management System to improve Situational Awareness"

I am honored to again be presented at the Industrial Control System Joint Working Group (ICSJWG) meeting scheduled for June 3-5 in Indianapolis, Indiana. I will be participating in a panel discussion on Heartbleed and its impact to control systems where I will be sharing some of my research findings and sharing with you my point-of-view based on ICS systems at large.

I will also have a session presentation entitled "Can you hear me now? Standing up a SEM to improve Situational Awareness". This sessions in tentatively scheduled for Wednesday, June 4 at 1:00-2:00pm.

I am looking forward to seeing many of you

Thursday, April 17, 2014

Why "Heartbleed" will only require a Band-Aid in more most ICS installations

(This article was originally posted on ISSSource on April 16, 2014 by Gregory Hale with contributions from Joel Langill)

Heartbleed may need a band aid to fix various small wounds in the industrial control environment, but it surely does not need open heart surgery.

Tuesday, March 18, 2014

Recent development of ICS exploits continues upward trend of security research

In performing my daily rounds on news feeds and websites, I noticed a lot of recent developments in open-source exploit modules targeting industrial control systems. One very important part of a well-rounded ICS Security Management System (IACS-SMS per ISA 62443 terminology) is situational awareness of the actual risks facing industrial systems in terms of both vulnerabilities disclosed and the ease in converting these proof-of-concept (PoC) disclosures into workable exploit modules.