SCADA Security Hack Chat

There's a lot of infrastructure out there

Wednesday, July 14, 2021 12:00 pm PDT Local time zone:
Hack Chat
Similar projects worth following

Éireann Leverett will host the Hack Chat on Wednesday, July 14 at noon Pacific.

Time zones got you down? Try our handy time zone converter.


As a society, we've learned a lot of hard lessons over the last year and a half or so. But one of the strongest lessons we've faced is the true fragility of our infrastructure. The crumbling buildings and bridges and their tragic consequences are one thing, but along with attacks on the food and energy supply chains, it's clear that our systems are at the most vulnerable as their complexity increases.

And boy, are we good at making complex systems! In the United States alone, millions of miles of cables and pipelines stitch the country together from one coast to the other, much of it installed in remote and rugged places. Such far-flung systems require monitoring and control, which is the job of supervisory control and data acquisition, or SCADA, systems. Industrial Control Systems is another moniker with a large overlap to SCADA.These networks have grown along with the infrastructure, often in a somewhat ad hoc manner, and given their nature they can be tempting targets for threat actors.

Finding ways to secure such systems is very much on Éireann Leverett's mind. As a Senior Risk Researcher at the University of Cambridge, he knows about the threats to our infrastructure and works to find ways to mitigate them, or predict the impacts. He's in the top ten most-cited cyber risk authors according to Google Scholar, but he's not just an academic! He is also a founder of two companies specializing in cyber risk: Concinnity Risks and

His book Solving Cyber Risk lays out a framework for protecting IT infrastructure in general. For this Hack Chat, Éireann will be addressing the special needs of SCADA system, and how best to protect these networks. Drop by with your questions about infrastructure automation, mitigating cyber risks, and what it takes to protect the endless web of pipes and wires we all need to survive.

  • Hack Chat Transcript, Part 4

    Dan Maloney07/14/2021 at 20:35 0 comments

    eireann.leverett1:14 PM

    Patrick C Miller1:14 PM
    In addition to many other things. Seems like a simple idea but why the hell haven't I ever thought of that?

    anfractuosity1:14 PM
    are there any recommended formats for SBOM?

    eireann.leverett1:15 PM
    I suspect you did, but there's too many threads to chase

    eireann.leverett1:15 PM
    I got a year of free thinking at airbus

    eireann.leverett1:15 PM
    it did take about 6 months to break the noise floor of the predictions (augmented dickey fuller suggested 3 month was a limit)

    Patrick C Miller1:16 PM
    No... I love to claim I did but that one skipped me. I need to add this idea to some models.

    Dick Brooks1:16 PM
    @anfractuosity - yes SPDX and CycloneDX,

    eireann.leverett1:16 PM
    turns out old WW2 stats and little

    eireann.leverett1:16 PM
    Little's law did the tirck

    eireann.leverett1:16 PM
    Airbus owns the IP, but we agreed to publish most of it, and I can talk freely sometime about where it will go.

    Patrick C Miller1:17 PM
    @anfractuosity there are a few formats/frameworks. Depends on how you will be using it. Some are also in development.

    eireann.leverett1:17 PM


    Average frequency and duration of electric distribution outages vary by states

    Interruptions in electricity service vary by frequency and duration across the many electric distribution systems that serve about 145 million customers in the United States. In 2016, customers experienced an average of 1.3 interruptions and went without power for four hours during the year.

    Read this on Eia

    andypugh1:17 PM
    Pylons are nice, but I miss A website about the infrastructure access stairs on motorways (freeways). They all need to be designed, and cost many tens of thousands of (currency units) each. And you don't see them until someone mentions them to you.

    eireann.leverett1:18 PM
    Love this!

    Dan Maloney1:18 PM
    EIA is a great resource. I used them for the piece I wrote on petroleum pipelines, and a new piece coming out tomorrow on "Black Starts" for the grid

    eireann.leverett1:18 PM
    Is DNS infrastructure? :D

    eireann.leverett1:19 PM
    oooooh, I love that you're writing a blackstarts piece

    Dick Brooks1:19 PM
    DNS is Critical infrastructure I'd say!

    Patrick C Miller1:19 PM
    @anfractuosity I am partial to the SBOM Energy stuff being done through the DOE/INL/NTIA

    eireann.leverett1:19 PM
    You might like this simulation approach we made:

    Dan Maloney1:19 PM
    Thanks, I hope I do the topic justice. I only have 1500 words or so, tough to put in much detail.

    eireann.leverett1:19 PM
    Not so much about blackstarts but estimating the impact of outages on say transport

    Galactic creature 421:20 PM
    @eireann.leverett Eye of the Lucifer…. The hotest hell…. (would be my answer) 🤣🤣🤣

    Dick Brooks1:20 PM
    My company is participating in the SBOM POC hosted by INL, usign the SAG-PM software representing a well known utility in hte mid Atlantic area

    eireann.leverett1:20 PM
    doing intersectoral stuff is super hard, but the oxford team came up with a cool voronoi decomposition to estimate substation outage effects on train stations

    Dick Brooks1:22 PM
    I think aDoulus is wrokign with OSIsoft on the software vendor side. REA is working on the consumer side of the SBOM POC

    Patrick C Miller1:22 PM
    aDolus is doing some great stuff.

    eireann.leverett1:22 PM
    I guess if the talk is over, me and Patrick can have a whisky?

    eireann.leverett1:23 PM
    I've got an "Emergency Decadence" at hand.

    Patrick C Miller1:23 PM
    Cheers, old friend. We need to do that sometime soon.

    eireann.leverett1:23 PM

    Dick Brooks1:23 PM
    I agree @Patrick C Miller they are one of only a handful oc C-SCRM vendors with the ability to process NTIA SBOM's. Microfot gobbled up Refirm Labs and IBM gobbled up BoxBoat. C-SCRM is becoming a thing

    Galactic creature 421:23 PM
    A wiseman said: To make critical damage...

    Read more »

  • Hack Chat Transcript, Part 3

    Dan Maloney07/14/2021 at 20:33 0 comments

    Galactic creature 4212:52 PM
    anomies = anomalies ;)

    andypugh12:52 PM
    @Dan Maloney I am thinking that there might be a Hackaday article just in this bibliography

    Patrick C Miller joined  the room.12:52 PM

    Dan Maloney12:52 PM
    @andypugh - You may be right about that

    toet12:53 PM
    leverage your engineer, sit next to them learn everything from them these people know more than the average plant worker keep these people close and than make the frontrunners

    eireann.leverett12:53 PM
    I used to start with doughnuts and coffee. By which I mean getting to know them better without asking anything. Then find some of their problems and help them solve it. Introduce security tools as ENGINEERING tools. For example, I taught the change management team to get hashes of firmware for CHANGE MANAGEMENT LOGS, and only then did I show them the value for security.

    Galactic creature 4212:53 PM
    @toet will take this approach and try it

    toet12:53 PM
    this everyday

    eireann.leverett12:54 PM
    Also, understand that risk officers have to choose between a thousand "could happens". if you can quantify the impact then they start to pay attention.

    DM12:54 PM
    That's great, thanks!

    eireann.leverett12:55 PM
    there's a subtle point need (as security people) to have SOMEONE in risk meetings...not just to amplify your risks, but also to prevent other risks destroying good security where it does exist.

    toet12:55 PM
    most of all take the time to learn and like @eireann.leverett said coffee will get you a headstart

    eireann.leverett12:55 PM
    let me give you an example:

    eireann.leverett12:56 PM
    A unamed Norwegian electrical provider that existed since the sixties basically had a phone network because for safety reasons they needed a phone in every substation.

    eireann.leverett12:56 PM
    it was old school copper pair

    eireann.leverett12:56 PM
    so far so good, then it's 2000 and the CFO wants to save money and upgrade things, so they switch to IP telephony

    eireann.leverett12:57 PM
    I mean why run a telephone company when you don't need to? All those copper repairs are expensive.

    eireann.leverett12:57 PM
    Cue to talented and handsome penetration testers with hard hats and moustaches and viola, every time we pwned an IP phone we got a substation for free.

    eireann.leverett12:57 PM
    What my point?

    eireann.leverett12:58 PM
    A security person needed to be in ther telling the CFO and CRO why IP telephony could become a problem.

    Galactic creature 4212:58 PM
    Got it.

    eireann.leverett12:58 PM
    You wouldn't have gone to that meeting as a security person, so someone needs to be in all those boring risk meetings :D

    Galactic creature 4212:59 PM
    Lol exactly

    eireann.leverett12:59 PM
    Incidentally, norwegian hackers are off the hook and greetz to Hackeriet ;)

    Patrick C Miller12:59 PM

    eireann.leverett12:59 PM



    Norsk Blog Wiki 2021-06-22: Hackeriet has carefully reopened since the COVID-19 situation has improved in Oslo. All creatures welcome! 2021-05-26: Our IRC channel #oslohackerspace has moved to Stay safe, and be excellent to each other! Hackeriet is a community operated hackerspace in Oslo where people tinker with software, networks, art and hardware, learn from each other.

    Read this on Hackeriet

    eireann.leverett12:59 PM
    Loving it Patrick!

    eireann.leverett12:59 PM


    S4x22 ICS Security Event

    Set free a conservative, slow moving, change resistant community to discover new ideas and come up with innovative ways to use these new ideas to deploy secure, resilient and better ICS. 719 of the world's best in OT and ICS Security attended S4x20. S4x21 was lost to Covid.

    Read this on S4xevents

    eireann.leverett12:59 PM


    CS3STHLM | Home

    The Premier Cyber Security Conference for ICS/SCADA and Critical Infrastructure The Summit CS3STHLM - the Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems - is...

    Read more »

  • Hack Chat Transcript, Part 2

    Dan Maloney07/14/2021 at 20:31 0 comments

    Bill S12:25 PM
    @primetimber Ture, Then when everything goes to hell, the board gets a new CEO who says that last guy was the worst and continues to do nothing. Think VW

    Chris Ryding12:25 PM
    Where do you tend to see more security vulnerabilities - insecure devices, poor configuration/management, or both?

    eireann.leverett12:25 PM
    It covers a crazy history of electrical systems, automotive safety, and medical safety.

    Mr.Unbekannt2.012:26 PM
    Would the benefits of airgapping outway the ease of maintenance and datatransfare? Or is it not possible for infrastructure to work like an island?

    eireann.leverett12:26 PM
    Then goes on to regulatory and certification approaches.

    eireann.leverett12:26 PM
    On the airgapping debate, Ronnie knows where I stand :D

    eireann.leverett12:26 PM
    Though I guess it's worth repeating....

    Galactic creature 4212:26 PM

    adamskhan12:27 PM
    Always good to airgap but typically, hardly practical?

    eireann.leverett12:27 PM
    Airgaps are mostly myths in practice. They seem easy to maintain and they're not. For example, how are you going to check any SSL/TLS certifitcate in an airgap?

    eireann.leverett12:27 PM
    They are very very dangerous to the mind...too.

    DM12:28 PM
    How so?

    Bas Withagen12:28 PM
    also, how would you get status accross an airgap?

    adamskhan12:28 PM
    People get a false sense of security, I've seen that before

    Dick Brooks12:28 PM
    CRL verification would be challenging

    eireann.leverett12:28 PM
    Largely my "coming of age" story in this industry was older engineers telling me we didn't need software security practices because it was all airgapped.

    Damir Diminić12:28 PM
    From the security perspective (aside from regulations and certifications), what are your thoughts about using cheap SBCs instead of high priced VPN routers (+ even more expensive "access servers") to connect dislocated PLCs to a central SCADA?

    As far as I saw, those "premium" devices mostly use OpenVPN which is a breeze to configure today (with a bit of fiddling with iptables).

    So does it make sense to pay for those industrial routers today?

    Dick Brooks12:28 PM
    Then came 802.11

    Bill S12:29 PM
    What happens is that you do just 1 connection to the air gap with a network device that never gets updates or is ever looked at again

    eireann.leverett12:29 PM
    I knew it wasn't true, and those airgaps were becoming an impediment to real improvements and innovations.

    eireann.leverett12:29 PM
    So I set out to prove people wrong in 2010.#

    toet12:29 PM keeps track on what new vulnerabilties have been released

    eireann.leverett12:29 PM

    Read this on Cam

    eireann.leverett12:29 PM
    This is the result of that effort.

    eireann.leverett12:30 PM
    I was kind of an angry hacker back then :D

    adamskhan12:30 PM
    Is the document safe :p

    Galactic creature 4212:30 PM
    Imho - 100% airgap is not possible these days. But -> connecting OT to internet having sensitive devices accesible from anywhere…. That’s bad idea :) Anyway - airgap means can be achieved but it costs extra money (nuclear powerplants do have airgapped systems)

    eireann.leverett12:31 PM
    Absolutely. The reaon it's a bad idea is because the vendors thought it was THE idea.

    eireann.leverett12:31 PM
    An airgap for most people is no ethernet

    eireann.leverett12:32 PM
    i'm afraid you still need to get data on and off the system. Ladder logic needs loaded on the PLCs somehow.

    primetimber12:32 PM
    What about tools like this one?

    Dick Brooks12:32 PM
    Today, they push software updates to jet fighters in flight, turns out air is a pretty good medium for communications.

    eireann.leverett12:32 PM
    So I prefer people do better checking on inputs and outputs. Don't get me wrong if your airgap really is part of defense in depth cool...but if it's your only defence....I get cranky.

    russell paul12:33 PM
    even when I think a system is air-gapped, a technician decides to connect...

    Read more »

  • Hack Chat Transcript, Part 1

    Dan Maloney07/14/2021 at 20:27 0 comments

    Dan Maloney12:00 PM
    OK, let's get going. Welcome, one and all, and thanks for coming out today. I'm Dan and I'll be moderating today with Dusan as usual as we welcome Eireann Leverett to the Hack Chat to talk about SCADA Security. I've really been looking forward to this as infrastructure security has been much on my mind lately.

    Lord3nvy joined  the room.12:00 PM

    khannon joined  the room.12:00 PM

    Dusan Petrovic12:00 PM
    Hello everyone!

    Jason Kirkpatrick joined  the room.12:01 PM

    Dick Brooks12:01 PM
    Great workshop on ransomware hosted by NIST and NCCoE today - just ended;

    Dan Maloney12:01 PM
    Welcome Eireann, and please accept my apologies in advance for any fat-finger mistakes on your name

    Dale Hoyum joined  the room.12:01 PM

    eireann.leverett12:01 PM
    It's not an easy type is it?

    Dan Maloney12:02 PM
    So many vowels...

    Can you start us off with a brief intro?

    eireann.leverett12:02 PM
    Fun fact; Eireann is Irish for Irish.

    andypugh12:02 PM
    And diacriticals....

    eireann.leverett12:02 PM
    indeed, though I never complain if people leave the fada out.

    eireann.leverett12:02 PM
    (the accent)

    Dan Maloney12:02 PM
    I know, I feel bad for not including those. But keeping up with the letters is tough enough for my fingers as it is.

    Nathan joined  the room.12:03 PM

    JImmyMoe12:03 PM
    RE: Dan Maloney

    1:55 PM

    Hey @JImmyMoe - doesn't ring a bell right off, but I know we've covered a ton of projects like that. I'll see if I can dig something up...

    Thanks you so much Dan! I would so appreciate it.


    Ron Fabela joined  the room.12:03 PM

    eireann.leverett12:03 PM
    So brief intro: I have been doing security since about 2005, with some enthusiasm for phones before. I think I got an early insight into SCADA or ICS security because I grew up for a time in Ohio.

    Mr.K. joined  the room.12:04 PM

    eireann.leverett12:04 PM
    My grandparents owned a farm, and I spent summers there. There were many stories of burning rivers from industrial pollutiion.

    eireann.leverett12:04 PM,had%20caught%20fire%20since%201868.


    "The River Caught Fire": The Cuyahoga River Fire of 1969

    A series of articles exploring historical events that provide an important lesson for ensuring a more sustainable and healthy environment. Originally published as a bulletin feature for the newsletter of CHE-WA (Collaborative on Health and the Environment, Washington State chapter); produced by Steven G. Gilbert. Oil spills and oil fires are nothing new.

    Read this on Healthandenvironment

    eireann.leverett12:05 PM
    They even named a beer after it as I got older: Burning river pale ale.

    toet joined  the room.12:05 PM

    Levi joined  the room.12:05 PM

    toet12:05 PM
    Good evening all

    Dan Maloney12:05 PM
    Yeah, it wasn't a good period

    eireann.leverett12:05 PM
    So my point is, at a very young age I had a sense that industrial systems could have big impacts.

    adamskhan joined  the room.12:06 PM

    Bill S12:06 PM
    Hello all

    Levi12:06 PM
    Hola amigos

    eireann.leverett12:06 PM
    Like most people in my twenties I didn't know what I wanted to do. Eventually, after trying many jobs, i ended up studying AI and Software Engineering in Scotland. From there I worked for GE Energy on software that controled distribution grids. Mostly Energy, but some water too.

    eireann.leverett12:07 PM
    That was my introduction to SCADA, and then I started doing vuln management and secure coding team building for them with my main hard hat hacker Colin Cassidy.

    toet12:08 PM
    are you still in electric ?

    eireann.leverett12:08 PM
    No. Or rather not directly.

    eireann.leverett12:09 PM
    From there I ended up going to Cambridge, and then penetration testing at IOActive.


    Read more »

View all 4 event logs

Enjoy this event?



Interested in attending?

Become a member to follow this event or host your own