Enabling ESP32 Secure Boot

What is Secure Boot?

ESP32 has a secure boot feature that allows you to configure the device to only accept signed firmware images from trusted sources. This can be used to prevent unauthorized modifications of your code and data on the ESP32, or to protect against malicious software (malware) attacks.

Why should it be used?

The ESP32 is an open-source hardware platform, which means anyone can modify its design. However, this also makes it vulnerable to malware attacks. If the attacker gains access to the device’s flash memory, they could replace the original firmware with their own version. In addition, if the attacker manages to gain root access, they could install any software on the device without user consent.

Secure boot prevents these types of attacks by requiring all firmware images to be digitally signed before being loaded into the device. Only those images that are signed by a trusted certificate authority will be accepted.

How does it work?

The ESP32 uses a Trusted Platform Module (TPM), which is a special-purpose chip designed for cryptographic operations. It provides a tamper-resistant environment where sensitive information such as passwords, keys, and certificates can be stored securely.

When the ESP32 boots up, it reads the TPM’s public key and checks whether the image file is signed using the private key associated with the public key. If so, the image is loaded into the device. Otherwise, the system displays an error message and refuses to load the image.

How do I enable it?

Secure Boot is enabled by default in the latest version of Espressif’s SDK for ESP32 development. But, on older versions of the SDK, you need to set the “secure_boot” option when initializing the board:

esp_init(0, 0x000002ff); // Initialize ESP32 module at address 0x00000200

esp_set_secure_mode(1); // Set secure boot mode

 

Why You Should Support CS2AI

What is Control Systems Cyber Security Association International (CS2AI.org)?

The mission of the Control Systems Cyber Security Association, Inc. (CS2AI) is to promote and advance cyber security education, research, and practice to protect critical infrastructure and ensure the safety and reliability of our nation’s control systems.

What does that mean? It means we are here to help you understand how to keep your control system safe from hackers, malware, and other threats. We want to ensure you know what to look for in a good cybersecurity program and how to find it.

We also want to ensure you have access to the best resources available to help you stay up-to-date on current trends and technologies.

Why does MSI support it?

Because we believe in its mission. We believe in making sure everyone has access to the information they need to make informed decisions about their own cybersecurity programs, especially when it comes to ICS.

We believe in helping people learn more about cybersecurity so they can take steps toward protecting themselves and their organizations.

We believe in supporting those who share our passion for improving the world through technology. CS2AI supports the core mission of MSI – making the online world a safer place for all of us.

How do I get involved?

It’s simple – click here to learn more about joining and the benefits of supporting the ongoing efforts to improve global cyber security.

Why Emulate a PLC with a Raspberry Pi

One of the most powerful uses of emulating a PLC (Programmable Logic Controller) field device with a Raspberry Pi is that it provides an affordable and easily obtained platform for prototyping, performing ladder logic testing, and researching various industrial control systems and cybersecurity concepts.

Raspberry Pis are Affordable

Raspberry Pi models 3 and 4 are significantly more affordable than real PLCs. A typical PLC can cost hundreds or thousands of dollars.

The Raspberry Pi costs around $35-50 depending on your model choice. This makes them very accessible to hobbyists, students, researchers, developers, and anyone else who wants to work with the basics of industrial control systems. The low cost makes them ideal candidates to emulate a PLC in many scenarios.

Raspberry Pis are Easily Obtainable

PLCs can be quite difficult to come by, especially if you want one without any pre-existing software installed. Many manufacturers will not sell their products to third parties unless they have some kind of existing relationship. If you don’t already know someone at the manufacturer then you may need to pay a hefty upcharge. Additionally, purchasing the addons for power supplies, specific programming software, and such can quickly turn into a slog of paperwork and supporting tasks. The lead time and delivery times can take weeks to months.

The Raspberry Pi, on the other hand, can be purchased at many big-box electronics or computer stores, directly from many providers, or even delivered to your door from Amazon and other online sources. It uses a common USB power supply and can be configured and programmed using open source tools available online. Lead time is a couple of days to a few hours, letting you stay focused on your work.

The OpenPLC Project

The OpenPLC Project is a stable, well-documented toolkit for emulating basic PLC operations on the Pi. It has been used successfully to simulate a variety of different types of PLCs and includes support for ladder logic and other common PLC functions. You can find the programming reference and review the available capabilities here.

You can get OpenPLC up and running on a Pi in less than 30 minutes. In our testing, we were able to begin using the emulated PLC in our lab within an hour!

Going The Extra Mile With SCADABR

SCADABR is an open-source supervisory control and data acquisition software package designed to allow you to create interactive screens or human-machine interfaces (HMI) for your automation projects. It provides tools for creating graphical user interface widgets, event handlers, timers, and dialogs. With its ability to communicate with multiple controllers (including OpenPLC), ScadaBR is an ideal companion for the OpenPLC Runtime and Editor.

Using a Pi, OpenPLC, and SCADABR together, can get you a very powerful and useful PLC platform up and running for under $100 and in less than a few hours. Once implemented, you can use the platform to learn about industrial controls systems, ladder logic, PLC programming, and operations. You can also do basic ladder logic research and testing, and even prototyping for future real-world PLC deployments. Cybersecurity folks also have a very capable platform for learning about industrial control security requirements, performing vulnerability research, reverse engineering, or practicing their assessment skills in a safe environment.

While you might not get the full power of a true PLC (there are some limitations to Pi’s capabilities), you will likely get more than you expect. If you have an interest in or a need for some basic industrial control systems capabilities, this is a great place to start.

 

 

IT/OT Convergence and Cyber-Security

Today, I spoke at ComSpark as a part of a panel with Chris Nichols from LucidiaIT and David Cartmel from SMC. 

We talked extensively about convergence and the emerging threats stemming from the intertwined IT/OT world. 

If you missed it, check the ComSpark event page here. I believe they are making some of the content available via recording, though a signup might be required. 

Our virtual booth also had this excellent video around the topic. Check it out here.

Thanks and hit me up on Twitter (@lbhuston) and let me know your thoughts.

Saved By Ransomware Presentation Now Available

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 

Deck: https://media.microsolved.com/SavedByRansomware.pdf

MP3: https://media.microsolved.com/SavedByRansomware.mp3

PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it! 

An Exercise to Increase IT/OT Engagement & Cooperation

Just a quick thought on an exercise to increase the cooperation, trust and engagement between traditional IT and OT (operational technology – (ICS/SCADA tech)) teams. Though it likely applies to just about any two technical teams, including IT and development, etc.

Here’s the idea: Host a Hack-a-thon!

It might look something like this:

  • Invest in some abundant kits of LittleBits. These are like Legos with electronics, mechanical circuits and even Arduino/Cloud controllers built in. Easy, safe, smart and fun!
  • Put all of the technical staff in a room together for a day. Physically together. Ban all cell phones, calls, emails, etc. for the day – get people to engage – cater in meals so they can eat together and develop rapport
  • Split the folks into two or more teams of equal size, mixing IT and OT team members (each team will need both skill sets – digital and mechanical knowledge) anyway.
  • Create a mission – over the next 8 hours, each team will compete to see who can use their smart bits set to design, program and proto-type a solution to a significant problem faced in their everyday work environments.
  • Provide a prize for 1st and 2nd place team. Reach deep – really motivate them!
  • Let the teams go through the process of discussing their challenges to find the right problem, then have them use draw out their proposed solution.
  • After lunch, have the teams discuss the problems they chose and their suggested fix.Then have them build it with the LittleBits. 
  • Right before the end of the day, have a judging and award the prizes.

Then, 30 days later, have a conference call with the group. Have them again discuss the challenges they face together, and see if common solutions emerge. If so, implement them.

Do this a couple times a year, maybe using something like Legos, Raspberry Pis, Arduinos or just whiteboards and markers. Let them have fun, vent their frustrations and actively engage with one another. The results will likely astound you.

How does your company further IT/OT engagement? Let us know on Twitter (@microsolved) or drop me a line personally (@lbhuston). Thanks for reading! 

ICS/SCADA Security Symposium 2014 Announced

For those of you who were wondering about our yearly event, the 4th annual ICS/SCADA Security Symposium has been announced!

The date will be Thursday, December 11, 2014 and the entire event will be virtual! Yes, that’s right, no travel & no scheduling people to cover the control room. YOU can learn from right there! 

To learn more about the event, the schedule and to register, click here!

Save The Date: 2014 ICS/SCADA Security Symposium Dec. 11

This year’s ICS/SCADA Security Symposium will be held on Thursday, December 11, 2014. This year’s event will be a little different, in that we are opening it up to any organizations who are asset owners or manufacturers of ICS/SCADA components. That includes utilities, manufacturing companies, pharma, etc. If you are interested in ICS security, you can sign up for the event.

This year’s event will also be virtual. It will be a series of Webinars held on the same day in 45 minute blocks, with time for follow-on questions. We will also hold a Twitter Q&A Hour from 1pm – 2pm Eastern, and we will attempt to make all speakers available for the Q&A!

In addition, we plan to stand up a supporting website for the event, and release a number of materials, including podcasts, interviews and other surprises the day of the event!

We will be tracking attendance in the webinars and providing notes of attestation for attendees for the purpose of CPE credits. We hope this new format will allow folks who wanted to attend in the past, but either couldn’t make the physical trip to Columbus or couldn’t leave their positions to attend training the ability to join us.

More details, including speakers and topics, as well as schedules, hashtags and other info will be released shortly. Thanks for reading, and we hope to see you on 12/11/14!

Co-Op & Municipal Utilities Get Discounts in July

Attention Co-Op & Municipal utilities — MSI is offering discounts to your organizations on professional services (policy/process, assessments, pen-testing, etc.), lab services (device & AMR/AMI assessments, threat assessments, etc.) and HoneyPoint Security Server for the month of July. Book the business before July 31’st and have the work/implementation completed before December 31st of 2014 and you receive a discount up to 30% off!

Do you need pen-testing against your business network? Need web app assessments on billing or payment systems? Have a call for risk assessments, smart grid device testing or fraud testing against your meters and field gear? All of this and more qualifies!

Check out our ICS/SCADA specific services by clicking here!

Give Allan Bergen a call today at 513-300-0194 to learn more about our program. We truly appreciate the hard work and dedication that Co-op and Municipal utility teams do, and we look forward to working with you!