S3VLC – SCADA Software Security Verification Life Cycle

Taking a different approach on securing application

Introduction

Heartbleed, Shellshock and Poodle. These are some of the highly talked vulnerabilities for the year 2014. We live in an Internet era where they can never be a day without vulnerabilities not being found or an organization not being compromised. Things seem to get worse when such vulnerabilities are used as a form of weapon geared towards critical infrastructure. As defined by Wikipedia; critical infrastructures are assets that are essential to the functioning of the country's economy and society [1]. If an attack towards our critical infrastructure were to happen and worse, succeed, then it will definitely impact the country, from the savings in our banks, transportation on the roads to the distributing of gas, water and electric to our everyday needs.

This blog intends to share the problems with majority of the critical organizations systems, the reports in the news, the challenges faced towards software developers and how by introducing a process called S3VLC can help protect critical organizations.

Attacks on Critical Infrastructure

On November 18th 2011, reports state that a group of foreign hackers were targeting U.S water plants. It was said to be the first known cyber-attack that damaged the water and electricity distribution systems [2]. On June 30th

2014, Symantec uncovered a malware campaign from a group called Dragonfly which compromised more than a thousand power plant systems[3]. On April 4th 2012, according to DHS, the America's water and energy utilities face daily cyber espionage and DOS attacks against its industrial control systems [4].

Problems in Software Security

These cyber-attacks are not surprising especially when vulnerabilities are constantly found on these critical infrastructure systems. On October 18th 2013, researchers in the US found over 25 security vulnerabilities in SCADA systems [5]. On September 18th 2014, 3 security holes were found in the commonly used SCADA software from Schneider Electric [6].  And through these vulnerabilities, according to Darlene Storm, a security blogger for Computerworld, hackers took advantage of these holes to take full control of critical infrastructure [7].

"On average over 70% of IT Security budget is spent on Infrastructure, yet over 75% of attacks happen at the Application level." - Rob Labbe (Microsoft SDLC for IT)

SDLC

SDLC or Software Development Life Cycle is a process for planning, creating, testing and deploying an information system. In SDLC, security has never been part of the process thus making the application stable but insecure.  Recent article from The Register states that 80% of application developers suck at securing client's data [8]. This is not a surprise since majority of application developers are good at that - developing applications and nothing else hence security is never part of the process. The introduction of adding security as part of the SDLC process is slowly being adopted by application developers and software making companies however due to constraints in time, tools and budget, little of the security portion are deployed in the process [9].

Secure Source Code Review

One of the earliest starting point for a SSDLC is the introduction of secure source code review. Using manual or automatic approach and analysis tools, code reviewers analyse source code in order to help find security flaws. This stage allow reviewers to find issues such as buffer overflows, SQL injection flaws and cross site scripting. All these can be tackled before final compilation.

Challenges

There are a number of challenges in this stage. One is time constraint and by taking a manual approach, it is extremely difficult to look through the thousands or even million lines of codes. And if an automatic approach is adopted using tools, then chances of false positives are high and many potential vulnerabilities such as authentication problems, access control issues are hard to get flagged.

Transparency of SSDLC

Some of the biggest challenges to clients when purchasing the SCADA software is the inability to know the contents of the software and has no transparency to whether proper SSDLC process being adopted during its development. To add to this woes, many critical organizations using SCADA application have little or no security team in place to ensure the ‘cleanliness’ of the software and have little or no expertise to test the reliability of security of the software. 

Without proper security verification check, engineers and operators risk themselves by installing the software in their production environment, thus allowing potential known and unknown vulnerabilities lurking in their environment waiting to be exposed or exploited.

Another challenge is that clients usually are not provided with the source code of the application from their vendors due to many reasons and one of them is the potential leakage of their source code to competitors or online.

Current Vendor to Client Cycle

 

Fig 1: Vendor-Client cycle

S3VLC

S3VLC or SCADA Software Security Verification Life Cycle is a process that would allow organizations to test and check the security of their applications, adopting the art of binary analysis and fuzzing. This framework allow organizations not to rely or depend on the software vendors and instead taking ownership of the software and ensuring its security before deploying to their environment.

Binary Analysis

Binary analysis is the process of analysing the binary code to search for compliance issues and vulnerabilities in 3rd party libraries. The idea behind this assessment is to think what could a hacker possibly do or find out about the compiled executable. Unlike code review, binary analysis do not rely on assumptions but instead it will detect on the actual libraries and components in the binary and check the version of the libraries and with these versions known and detected, give references to vulnerability databases such as CVEs or NVDs and see if any components are vulnerable. This process allows client to have the transparency in the BOM (Bill of Materials) to the software and gives the ability for the clients to manage any vulnerabilities found and understand its potential risks if such software are deployed.

Fig 2: List of Third Party Components and the Vulnerabilities associated with it

Fuzzing

Fuzzing is a technique used by introducing malformed or random data to an application and see the output of it that may reveal potential security issues. In 2006, according to an article from The Register, security researcher HD Moore managed to find a number of bugs in the Internet Explorer browser using the fuzzing technique [10]. In a presentation by John Neystadt, a Microsoft employee states that 'over 70% of security vulnerabilities Microsoft patched in 2006 were found by fuzzing [11]. Thus, as fuzzing becomes increasingly important as a way to find potential bugs and zero days, Microsoft security guru, Michael Howard stated back in 2007 to adopt fuzzing as part of the software creation process [12]. And when Microsoft starts to adopt fuzzing as part of its process, in 2010, the company found over 1800 Office bugs [13]. This shows that by incorporating fuzzing technique as part of a security life cycle framework, is beneficial to the software owner and users.

An example of how easy it is to perform a Denial of Service attack via fuzzing technique:

Fig 3: Illustration on how an application is fuzzed

Fig 4: Application crashed due to unable to understand packets received

The S3VLC Framework

Fig 5: S3VLC in action

The Future of Software Security through Transparency

Last year, Dec 4th, U.S. representatives introduced "Cyber Supply Chain Management and Transparency Act of 2014." The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities. [17]

Fig 6: The Bill at glance

This act enforces vendors providing firmware, software and hardware to the U.S. government to provide the BOM (Bill of Materials) of the F/S/H and to demonstrate that components used are not vulnerable and software must be created for patching as well. 

Conclusion

The main idea for this framework is to allow organizations to properly validate and evaluate the software using the art of binary analysis and fuzzing technique. As consumers are not given with the source code as well as the transparency to know whether or not vendors adopt proper SSDLC approach in creating the software, S3VLC framework allow organizations to find both known and unknown vulnerabilities in the software they purchased/evaluate thus allowing them to work closely with the vendors to improve and minimize the potential risks involved based on the results found. 

Final Words

There can never be a silver bullet when it comes to protecting the infrastructure. We have evolved to a generation where having an Antivirus and firewall is just a small piece of a bigger puzzle that needs to be filled. The list to secure an environment is exhaustive, ranging from SSDLC, OS hardening, network security perimeter for both internal and external, audit and compliance, following best practices when it comes to network design to the implementation of event logging and network monitoring. As the famous phrase 'Security is a Journey, Not a Destination', there can never be a one solution that solves everything. As security professionals, it is our duty to educate the masses about the importance of security and the consequences of ignorance. And as an end user, it is our duty to understand that security is a shared responsibility and that we all have a role to play in it.

References

[1] http://en.wikipedia.org/wiki/Critical_infrastructure

[2] http://www.washingtonpost.com/blogs/checkpoint-washington/post/foreign-hackers-broke-into-illinois-water-plant-control-system-industry-expert-says/2011/11/18/gIQAgmTZYN_blog.html

[3] http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat

[4] http://www.networkworld.com/article/2188264/malware-cybercrime/dhs--america-s-water-and-power-utilities-under-daily-cyber-attack.html

[5] http://www.computerweekly.com/news/2240207488/US-researchers-find-25-security-vulnerabilities-in-SCADA-systems

[6] http://www.securityweek.com/vulnerabilities-found-schneider-electric-scada-product-line

[7] http://www.computerworld.com/article/2475789/cybercrime-hacking/hackers-exploit-scada-holes-to-take-full-control-of-critical-infrastructure.html

[8] http://www.theregister.co.uk/2014/09/23/app_devs_suck_at_security_says_trainer/

[9] www.coverity.com/library/pdf/the-software-security-risk-report.pdf

[10] http://www.theregister.co.uk/2006/04/13/data_fuzzing/

[11] http://www.mccabe.com/pdf/McCabeIQ-FuzzTesting.pdf

[12] http://www.zdnet.com/blog/security/microsoft-security-guru-get-fuzzing/258

[13] http://www.computerworld.com/article/2516563/security0/microsoft-runs-fuzzing-botnet--finds-1-800-office-bugs.html

[14] http://www.informationweek.com/hacking-contest-reveals-solaris-vulnerability/d/d-id/1010480?

[15] http://www.technewsworld.com/story/75768.html

[16] http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploit

[17] http://royce.house.gov/news/documentsingle.aspx?DocumentID=397589

Disclaimer

The above post is solely based on my personal research and in no way represent the views and opinions of Codenomicon.

Blackhat Movie Review

Blackhat movie review (with SPOILERS): It's been awhile since i did a movie review here and since this movie, with its title, about hacking, i think it's wise for me to write a thing or two (well probably more) about what i feel about it.

Blackhat movie poster

First off, just for general movie knowledge, when this movie was initially scripted there were a lot of protests within the industry about the synopsis that the American government is working with the Chinese government to tackle a foreign hacker while in fact, there's a huge friction between the two in the cyber war arena in the real world. (the latter was briefly mentioned in the movie)

The start of the movie was quite cool, we see a hacker clicking the Enter button and showed the movement of the data in a matrix-ial format from the computer right to the destination, a power plant. I enjoyed the first 10 mins of the movie as it showed the HMI (Human Machine Interface) of the SCADA systems and how it was hijacked. Those who know how Stuxnet works can relate to the movie since the RAT (remote access trojan) or 'virus' in this movie was probably inspired by the Stuxnet worm (where it was able to destroy many nuclear centrifuges causing it to be replaced and renewed costing millions of dollars) What a huge coincidence that i talked about this SCADA and Power Plants security talks last year.

Power Plant Meltdown from the Blackhat movie

HMI interface for a SCADA system

However, the way the things was handled by the US government and the Chinese government (cooperating with each other) was unrealistic. From the book, 'WORMS' by Mark Bowden, back when the famous Conficker virus was going on a rampage in the US, affecting millions of computers, the US government did not even bother to take further action especially when being educated that the Conficker has the ability to start a Cyber Pearl Harbor back in the days so to see that the US government providing assistance to the Chinese government was quite far fetched (but hey, who knows this movie could entice a possible cooperation between them). 

WORM by Mark Bowden

Everything went well until when they decided to kill the direction of the movie. Im not going to comment on this as i was utterly disappointed.. its like watching the latest Transformers scene in China...pointless! Chris Hemsworth, the hacker in the movie was somehow good at martial arts and even know how to use a gun better than the villains. (Seriously??? Now i missed Hugh Jackman in Swordfish). 

Swordfish the movie

My verdict: It was all positive hype in the first 30 mins until it went totally downhill the rest. Don't expect a Blackhat vs Blackhat cyber battle or a Die Hard 4.0 kind of vibe. The villains were lame and making the 90s movie Hackers way better than this.

Speaking at DefCamp Security Conference

Four days after my talk in Austria, i will be flying to Bucharest, Romania to speak at DefCamp. Like Austria, this will also be my first time in Romania or eastern Europe for that matter. I am so psyched and excited for this as well. After getting on the 57th spot out of a total of 800 over teams that compete in the online D-CTF challenge, i am looking forward to see the top 10 teams challenging themselves at the conference. The conference will be held in Bucharest from the 27th Nov to 30th Nov 2014.

Link: http://defcamp.ro

The DefCamp Banner

 

Some of the speakers

The Schedule of the talks for Day 1

Speaking at BSidesVienna Security Conference

I am privileged to be accepted as a speaker for BSides Vienna, Austria. This will be my first time in Austria and i am very excited for it and meet security enthusiasts in the region. The conference will be held on the 22 November 2014.

Link: http://bsidesvienna.at/

 BSidesVienna Banner

The Schedule of my Talk

SecureSingapore - an (ISC)2 event

Was privileged to be invited to speak at SecureSingapore yesterday, an event that was held right after GovWare. This was my first time to give a full presentation at a Singapore-based conference. Previously when i presented in ABS-FITA and WebSense (both in Singapore), i was doing the technical demo but this time i had a whole hour to speak. My speaking experience from conferences in India, UAE and US gave me the confidence to speak in this.

 

The topic of my talk. Unlike Defcon Kerala and The Hackers Conference in India and BSidesLV in Vegas, i need to ensure that my talk covers more on a holistic view of SCADA and Critical Infrastructure and little on the low level technical side. 

I had a great time presenting to a room full of CISSP certified professionals and security practitioners. I was also delighted to get some laughs and response from the crowd. One of the things i did was to demonstrate the way Stuxnet works and got 3 volunteers from the crowd to assist me in illustrating it.

At the end of my talk, i had a chance to meet and greet people from industries such as banks and product vendors. One of them was the President of ISC2 Singapore himself!  This was a new experience for me and i certainly thank BT and ISC2 for giving me the privilege to share my knowledge to the industry experts.

And what better way to be given the thumbs up than to receive such an honest feedback from one of the audience.

Vulnerability Assessment on SCADA Networks - A Guide

Recently, I wrote an article on how to perform a Vulnerability Assessment on SCADA networks which was published in Hakin9.org. This time I took the opportunity to describe the methodology and processes in detail.

Tools Used:
1) Ping Utility
2) Nmap
3) Wireshark
4) Nessus
5) Metasploit

The tools used above are mentioned by several credible websites that deal with SCADA systems and infrastructure which include:

1) SCADA HACKER:  
http://scadahacker.com/tools.html
2) Idaho National Laboratory:
http://www.inl.gov/scada/publications/d/cyber_assessment_methods_for_scada_security.pdf
3)Tenable Security: http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/uploads/documents/whitepapers/SCADA%20Network%20Security%20Monitoring.pdf
4) Digital Bond:
http://www.digitalbond.com/tools/the-rack/nessus/
5) US Department of Energy: http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Introduction_to_SCADA_Security_for_Managers_and_Operators.pdf

Compliance - The Need for Vulnerability Assessment
NERC CIP 005-3 specifically mentioned the following:
Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. 
The vulnerability assessment shall include, at a minimum, the following:
R4.1. A document identifying the vulnerability assessment process;
R4.2. A review to verify that only ports and services required for operations at these access points are enabled;
R4.3. The discovery of all access points to the Electronic Security Perimeter;
R4.4. A review of controls for default accounts, passwords, and network management community strings;
R4.5. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.

NERC CIP 007-3 specifically mentioned the following:
Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability
assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
R8.1. A document identifying the vulnerability assessment process;
R8.2. A review to verify that only ports and services required for operation of the Cyber
Assets within the Electronic Security Perimeter are enabled;
R8.3. A review of controls for default accounts; and,
R8.4. Documentation of the results of the assessment, the action plan to remediate or
mitigate vulnerabilities identified in the assessment, and the execution status of that
action plan.

NERC CIP 005-3: http://www.nerc.com/files/cip-005-3.pdf
NERC CIP 007-3: http://www.nerc.com/files/cip-007-3.pdf

The Methodology
From the experience i gathered doing assessments on SCADA networks and systems, i came out with the below methodology. 

Information Gathering stage

The information gathering stage is the first and the most important stage in this methodology. Failing to perform and collect the necessary information can be a problem for the later stage. In this stage, we need to collect the following information:

1) The Network Devices information such as the IP addresses for Routers, Switches, Firewalls, IPS/IDS, Honeypots, Printers and any other devices that is connected to the SCADA network.

2) The Computer Systems such as the IP addresses, the Hostnames, the type of Operating Systems, the Services running on the systems and Hardware specification information

Challenge experienced

As SCADA has been around since the 60s, one of the problems i faced was the fact that there were little or no documentation of what the system owners have. And when they did have it, it was vague such as only the hostnames but no IP addresses tied to it. And since servers and workstations are all connected on to a single network, it was hard to determine which is which. 

How I did it

Being provided only the IP ranges, i had to use NMAP to scan the IP ranges. Take note that at this stage only runs the NMAP Ping Sweep switch and not the service/OS scans since we do not know what systems are there and what are the consequences running a service/OS scan. 

Once i determined the IP addresses found from the Ping Sweep scan, i checked with the system owners to see if they can determine which are workstations, servers, network devices, etc. In my case, the system owners could not identify and determine which is which hence i had to perform an OS scan to determine the OS of the devices in the network.

Once i managed to collect the OS information, the next step i did was to put it in a spreadsheet and categorize it according to its IP | Hostname | OS. With these, i safely determined which were servers, workstations and network devices.

Take Note

Always, always remember to save all these information in a spreadsheet. 

Grouping stage

For this stage, this is where my excel spreadsheet came into play. After determining the IP | Hostname | OS, i placed all the same OS into a tab or a column. For example, i placed all the Windows XP systems into one column, the Windows NT 4.0 into another column, Windows Server 2000, 2003, Cisco Switches, etc...all into its own individual columns. 

Once separated, i showed the system owners to determine which are the Active Servers and which are the Passive ones. This is needed later when it comes to the Scanning phase. After successfully determining these, i start to use Nessus to scan for open services beginning with a handful of workstations first, followed by the rest of the workstations, then the Passive servers and then the Active servers. Remember, at this stage, the Vulnerability Scans are not started yet as i only performed the scans for open ports and services.

Once again, remember to save all these information.

Policy and Plugins stage
Now that we have determined the IP | Hostname | OS | Open Ports | Services, its time to sit down with the system owners and find out more about the systems/servers. Take a couple of minutes to go through the workstation and look at the Add/Remove programs to determine what software/applications are installed. This is needed in order to customize the Nessus policy and plugins settings. An example is to check if there's a database installed. If there is, what brand? version? This is to eliminate the unwanted plugins and retain only the necessary ones.

Take Note
Never Ever use the Nessus Default Settings when performing a VA scan. By default, it will use huge bandwidth and unlimited amount of TCP connections to the host at a time and this can potentially cause Denial of Service issues such as System Reboot, Blue Screen and Application Hang.

The Nessus Scan Default Settings. Note the 'Unlimited' connections. This needs to be throttled. In my case, the following settings was used:
Max Hosts per Scan: 5
Max Simultaneous TCP Sessions Per Host: 15
Max Simultaneous TCP Sessions Per Scan: 5

*The above settings were used for Windows XP and Windows 7 OS. Anything below such as Win NT 4.0, the following settings was used:
Max Simultaneous TCP Sessions Per Host: 5
Max Simultaneous TCP Sessions Per Scan: 1

Now that the Default Performance Settings is edited, i also need to change the Plugins. Again, by default, all the Plugins are selected. This may cause an old system like Win NT 4.0 to crash as it could not handle the load from the scanner. Hence, in the Plugin section, select only the necessary. For example, if its a Windows OS, uncheck the Linux associated plugins, and if the Windows system is using a MS SQL database, uncheck the Oracle and MySQL plugins. 

Also, create individual customized scanning policy for individual group of devices. If its a Windows XP workstations, place them into a policy which i called 'SCADA-WinXP', followed by 'SCADA-WinNT', 'SCADA-Win2K-Passive' and 'SCADA-CiscoSwitches'..you get the point.

Take Note

The lesser and more specific plugins you select, the smoother and less intrusive the scans will be. 

The Scanning stage

Now that we have customized the policies, it is time to scan. Always scan the backup or passive systems first to see what is the outcome. A good way is to scan individually (provided you have the time). What is important is to ensure that little or no downtime is achieved during the scan. This is where the Ping utility and Wireshark comes in. By pinging what you scan, you can monitor whether or not the system is alive and running. And in an unfortunate case, if a system goes down, you can quickly pause the scan and use wireshark to analyze the issue. 

Take Note

Certain systems when i scanned, no matter how much i throttled the settings will still hang the application. I realized that this happened on Win NT 4 and below systems running on old and unsupported hardware. In my case, it was running on a 5GB hard disk with a 64-256MB of RAM. So what i did at that time was to determine how many Win NT 4 and below systems were available. I then informed the system owners that these systems will definitely hang during scanning. Once acknowledged, scan one system at a time. When the scan is completed, physically check the system if the application hang, if it is, reboot, login and ensure that the system is operational before moving on to the next system.

The Validation stage

When the vulnerability scannings are done, its time to validate the findings. My recommendation is to validate those that can be validated WITHOUT exploitation. This is very important as we do not know the consequences on exploiting the vulnerability on a Live & Production systems. Hence, although we could not validate our findings, it is still our ethical duty to report them. Certain critical vulnerabilities like MS08-067, we can use Metasploit to run a 'check' utility to determine whether or not the vulnerability really exist. However certain vulnerabilities like MS09-050, is something we cannot validate without exploitation and exploiting MS09-050 can succeed yet some experienced that sometimes, the system rebooted, hence be extra careful when validating a vulnerability through exploitation.

Manual Assessment

So far i have shown was how to use automated tools like Nmap and Nessus to perform the assessment. However, during the course of this, certain times, downtime occurred due to the fact that ancient hardware and unsupported operating systems could not handle the scans. Hence, there are ways to perform the information gathering manually.

Below is the document by NIST that provides suggestions on how you can get it done manually. I recommend that this actions to be taken only on environment where the systems and hardware are more than 10 years old. 

Link: http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

Risks Risks Risks!!!!

So what are the risks involved when performing vulnerability assessments and/or penetration testing? As SCADA systems are sensitive, sometimes, unexplained risks could happen. Take for example the below 'Unintentional Internal Security Consequences' taken from the NIST 800-82 document.

Hence, to prevent such accidents to happen, always ensure to gather information as much as you can before deciding what approach to use (manual or automatic). 

TIPS
Digital Bond has a project that greatly helps to perform a Nessus scan to comply against NERC CIP 007-3. You can refer to the following links below:
1) https://www.digitalbond.com/tools/bandolier/downloads/
2) https://www.digitalbond.com/wp-content/uploads/2012/04/cip007r8v1.2.zip

You can read more about it on how it assist on complying to NERC CIP 007-3.
1) http://www.digitalbond.com/tools/bandolier/nerc-cip-scan-policies/

Take Note
However, do review the plugins selected by this customized policy. This scanning policy to comply specifically to NERC CIP 007-3 is good but i need to mention that this is a baseline policy to check what is necessary to comply to NERC CIP 007-3 but it did not include the additional plugins to check for other applications and OS vulnerabilities. You may need to select additional plugins to fulfill your VA requirements and using Digital Bond's NERC CIP 007 Nessus policy is a good baseline to start with.

BSidesLV - An Awesome Security Conference!

BSidesLV is a security conference in the US, more specifically in Las Vegas! Yeap, that's right.. Sin City! I was excited and privileged to be accepted as a speaker at the conference. As it was my first time speaking in America, it was quite a challenge for me as i know that unlike audience in Asia, American audience seems to be more outspoken and when i was there it was indeed true.

After i arrived at the Tuscany Suites and Casino, my stomach started to hurt. That's right, the pressure, the stress...there's so many butterflies rampaging in my stomach as i walked to the reception. The queue to register was long. Initially i joined in the queue but then i saw some individuals 'bypassing' them. I assumed they must have been the speakers so i asked the volunteers and phew... i managed to get in without queuing.

Once i got in, i didn't waste any time and start to take as much pictures as i can. Well, i was a tourist when i was there so excuse my itchy fingers to snap pictures. The atmosphere was awesome, the people were friendly and the topics were great! Despite not properly socializing with the crowd, i was having a great time there. Well, i am a sucker for conferences, so such a con made me feel belonged.

When my time was up, i walked up to the 'stage' and connect my computer to the VGA cable to extend my monitor. I spent the first 4 minutes trying to get it connected. Resolution sadly gave me an issue so i had to make do with a slightly smaller yet still visible resolution on the projector. I was nervous and things that i was prepared to say, those words just got lost. But i was happy that the audience, despite my pressured state, were very supportive. Some were smiling, some were nodding their heads, showing signs of approval with every slides i went through. Of course, i was challenged by another speaker who told me off about the practicality of my talk after i shown two clips from Die Hard 4.0. After replying to him saying that, it is possible for a scene like Die Hard 4.0 to happen and telling him that my last few slides will show it how, he with his 3 other friends, all wearing black tshirts, stood up and walked out of the conference room..and i was just on my slide 4. I was a little demotivated but i am glad that the rest stayed until the end. What i didnt expect was the audience gave me a round of applause after my talk! I was very touched and felt a little emotional, feeling appreciated despite my stressed mode and pressure.

After the talk, i was approached by a handful of people from the audience, asking me more about my talk. Some asked about my talk and some congratulated me about my performance. I was very happy to hear from their own words that they enjoyed my presentation. And what's more important was that i got to meet some experts in the field i was talking about.

All in all, it was an amazing experience, this was indeed one of the best conferences i attended. The organizers, the volunteers, the speakers and the audience were simply awesome! It truly felt like home...

Here are some of the pictures...

Where it all happened!

The souvenirs!

 Bought and Free Tshirts!

Close up of the Badge!

Some sponsor banners!

Mini booths

WiFi Pineapple!! I bought one!

Protiviti! - Looking for Security Enthusiasts to join them.

Big Ass O-Wasp!

Hackers For Charity booth!

CTF Competition! 

Social Engineering Competition!

Creative Winning Trophy!

 The Topics!

 The start of my presentation 

 Me with Chris Sistrunk aka SCADA God!

Me and Jack Daniels, the co-founder of Security BSides conference!

This volunteer (on the left in yellow) was the man who motivated me and encouraged me not to be pressured and even helped me answered a question from the audience! Kudos to him! Wished i knew who he is..

Support our Troops! I mean..Sponsors... :)

Speaking at Vegas!

It is my pleasure to share that my talk i submitted to BSidesLV entitled: "Vulnerability Assessments on SCADA: How i 'owned' the Power Grid' has been accepted!!!!

This will be my first time speaking at a security conference in the US! (also will be the first time to travel to the US!) I've spoken at conferences in Singapore, presented in Dubai and demoed in India. This will definitely be a new experience. Definitely i am very excited for this and will feel pressured especially knowing that the US audience are outspoken unlike its Asian counterparts.

Just a brief intro to my talk; i will be talking about the state of SCADA security, the typical vulnerabilities found in SCADA environment and how it's possible for someone to own and control a Power Grid. 

Check out the site: http://www.bsideslv.org/

First Published Article in Hakin9

Recently, i was selected to be involved to perform an assessment on a SCADA environment. It was an amazing experience getting to see the SCADA systems, the monitoring and the control systems that control the powerplants and power grids. Although there were many challenges faced during the assessment, it allowed me to develop my own methodology for performing a Vulnerability Assessment on SCADA networks.

I was more than happy to share the basic requirements and techniques on how to properly perform a VA on SCADA networks/systems to Hakin9. Unfortunately, you need to subscribe to Hakin9 before you can download a copy.

Link: https://hakin9.org/advanced-exploitation-with-metasploit/