We are offering our Advanced Training Course on April 5th in San Antonio to make it convenient for those attending ICSJWG’s Spring Meeting on April 6 – 8. The afternoon module is on using and customizing our SCADA IDS preprocessors, plugins and signatures developed with funding from a DHS S&T contract.
The morning module will [...]

In mid-December we completed the Quickdraw project which creates security events for legacy PLC’s that lack a security event logging capability. In the following weeks I will write a blog series on Quickdraw, but a lot of this work involves adding SCADA preprocessors and plugins to Snort. So let’s start with a SCADA Snort blog [...]

I will be previewing some of the papers and presentations in this year’s S4 over the next few weeks.
Digital Bond’s 4th Annual SCADA Security Scientific Symposium [S4] is being held January 20 – 21 in warm and sunny Miami Beach. S4 is a bleeding edge research event where technical papers are presented in detail to [...]

Last week I had the opportunity to attend the first public planning/brainstorming session for the DHS seeded Open Information Security Foundation and their next generation IDS project. Lots of good discussion, with the first couple hours focusing on the foundation itself, and the rest of the day was spent discussing various features that would be [...]

We are pleased to announce the beta release of some Quickdraw software components today. Quickdraw is a Digital Bond research project funded by the US Department of Homeland Security (DHS). This beta release is the first three SCADA IDS preprocessors that were the crux of the Quickdraw project. They are:

DNP3
Ethernet Industrial Protocol (EtherNet/IP and [...]

Richard Bejtlich asks the question “Why Network Taps?” over at the TaoSecurity blog this week. I’m a huge fan of network taps for IDS, general monitoring and troubleshooting. It’s hard to beat the visibility a tap provides at your network entry and exit points. Bejtlich spells out several reasons why taps are a good idea [...]

Let’s face it, no matter how hard we try, or how elaborate the defense, sometimes the fox gets in the hen house (Or sometimes it just eats at McDonald’s). When I was in college taking a computer systems design course my professor stated that computer technology is invented in fits and starts. For [...]

I took some time to circle back to the Citect ODBC vulnerability and the signature we released for it a couple weeks ago.  After talking to some others in the community and taking another look at things it looks like there was some evasion for the previous signature.  The first signature we released should alert [...]

We have added a new category of signatures to our SCADA IDS Signatures. Previous categories are protocol based: Modbus TCP, DNP3 and ICCP. The latest category is Vulnerability Exploit. Signatures in this category identify exploit attempts on disclosed vulnerabilities in control system applications or devices.
We will write these signatures if enough information has been disclosed [...]

As Daniel Peck noted in a blog entry yesterday, the Metasploit module exploiting the Citect ODBC vulnerability is out and there was a related spike in traffic on that port.
Daniel has developed and tested a Snort rule to detect this attack.
alert tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 (msg:”CitectSCADA ODBC Overflow Attempt”; flow:established,to_server; byte_test:4,>,399,0; dsize:4; [...]