Latest Posts and News

Wrap it in TLS? - S4x18

At S4x19, Adam Crain and David Smith of Schneider Electric debated whether the control system community should wrap protocols in TLS, or take a more nuanced approach.

Quantum Key Distribution - S4x18

At S4x18, Adam Crain and Duncan Earl of Qubitekk discussed the benefits of using quantum key distribution (QKD) in ICS. Duncan leads out with an accessible explanation of how QKD works. Adam follows by talking how the keys produced in a QKD system are applied in practice in the SSP21 protocol.

Secure Scada Protocol for the 21st Century (SSP21)

Adam presented at about SSP21 at 4th Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems, Stockholm, Sweden, 24 –26 October 2017.

Project Robus

This post is a historical summary of Project Robus with a table of advisories ported from Automatak.com

Complexity vs Security

Historical Note: This post originally appeared on Automatak.com. The title has been changed. The DNP UG recently published a statement regarding the rash of DNP3 advisories from ICS-CERT. Generally, I agree with their statements. There is nothing wrong with the specification in the perfect world of specifications. In theory, a developer should be able to write a flawless implementation of the protocol. In practice, however, something quite different has been demonstrated.

DNP3 SAv5 and TLS: Different trust boundaries

Historical Note: This post originally appeared on Automatak.com. Subsequent analysis under a DHS grant, changed my opinion on DNP3 SAv5 substantially. There is a good paper published by IEEE S&P available here that I co-authored with Sergey Bratus that better summarizes my technical opinion of DNP3 SAv5. The purpose of this post is not to compare the merits of SAv5 vs. TLS, but rather to point out how the security concept of trust boundaries is applied to the analysis of dnp3 implementations themselves.