Latest Posts and News
Quantum Key Distribution - S4x18
At S4x18, Adam Crain and Duncan Earl of Qubitekk discussed the benefits of using quantum key distribution (QKD) in ICS. Duncan leads out with an accessible explanation of how QKD works. Adam follows by talking how the keys produced in a QKD system are applied in practice in the SSP21 protocol.
Complexity vs Security
Historical Note: This post originally appeared on Automatak.com. The title has been changed. The DNP UG recently published a statement regarding the rash of DNP3 advisories from ICS-CERT. Generally, I agree with their statements. There is nothing wrong with the specification in the perfect world of specifications. In theory, a developer should be able to write a flawless implementation of the protocol. In practice, however, something quite different has been demonstrated.
DNP3 SAv5 and TLS: Different trust boundaries
Historical Note: This post originally appeared on Automatak.com. Subsequent analysis under a DHS grant, changed my opinion on DNP3 SAv5 substantially. There is a good paper published by IEEE S&P available here that I co-authored with Sergey Bratus that better summarizes my technical opinion of DNP3 SAv5. The purpose of this post is not to compare the merits of SAv5 vs. TLS, but rather to point out how the security concept of trust boundaries is applied to the analysis of dnp3 implementations themselves.