Discover and read the best of Twitter Threads about #s4x19
Most recents (5)
This was a fav session from #S4x19. I think @stvemillertime made several GREAT points about why IT Security techniques are important when defending OT environments. 1/n
9:48-10:22: If you want to detect an ICS attack as far left of boom as possible, you should look for the IT attack first. (Looking for the OT attack is dangerously late-stage.) 2/n
8:30-9:26: In the Triton attack, 99 compromised machines were Windows servers or workstations. Only 1 was the safety controller... 99% of detection opportunities are conventional detection opportunities. 3/n
The moment we’ve (@DragosInc at least) have been waiting for...the S4 ICS Threat Detection results. #S4x19
All the competitors in the space were invited. In the end, three stepped up. Kaspersky ICS, an open source tool team by an ICS sec analyst from an asset owner/operator, and Dragos. Because the others didn’t participate it turned from a competition to more of an evaluation #S4x19
“Claroty and Dragos stepped up early. We reached out to 20+ of the vendors and they all said no.” @digitalbond then notes that Claroty backed out a few weeks before the competition so it morphed to an evaluation. The challenge kicks off with Ron who put 500+ hours into making it
Today at #S4x19, @electricfork and I debated different sides of "if OT tools and talent are needed to detect attacks on ICS." Some thoughts on ICS attacks and #TRITON in a tweep thread.
For the debate, I'm not convinced either way because there are few *public* intrusion data sets for either side of the argument. I think peeps are over it now, maybe no point to sharing this, but to get the convo started let's dump/share some rando #TRITON #TRISIS TTPs.
.@FireEye blogged/presented about #TRITON and some of the incident response activities in depth by @voteblake and friends in late 2017, fireeye.com/blog/threat-re… and
The secret #S4x19 talk on TRISIS (TRITON) is Julian who was an incident responder at Saudi Aramco who led the incident response (Aramco wasn’t the victim). He’s not revealing new info but is giving lessons learned from his first hand experience.
Notes there were multiple outages associated with TRISIS. First attack was June 2017 on a Saturday evening. One ESD controller impacted and DCS didn’t reflect the unsafe condition (quoting his slides).
Schneider checked the controller and didn’t identify the attack. Deemed it normal. Recommended restoring operations. Second outage occurred in 4th of August on Friday evening. Multiple controllers impacted across multiple phases of plant (six controllers).
Howdy y'all! In this friendly little tweety-box thread, I'd like to share my new project with you. It's called the GoodWatch, and it will be next month at Shmoocon. 1/n 
I began by measuring the pinouts of the LCD and keypad of the Casio 3208 watch module, shown on the right, and cloning them into my own GoodWatch10 PCB on the left. The sticky notes let me distinguish COMMON from SEGMENT pins in the LCD, so that my wiring would be correct. 2/n
The CC430F6137 that I chose can't quite control all of the pixels, but with three commons and all available segment pins, I was able to get everything except for the day-of-week pixels in the upper right corner. 3/n
