Bringing CISA’s Secure by Design Principles to OT Systems – Matthew Rogers – ASW #334
CISA has been championing Secure by Design principles. Many of the principles are universal, like adopting MFA and having opinionated defaults that reduce the need for hardening guides. Matthew Rogers talks about how the approach to Secure by Design has to be tailored for Operational Technology (OT) systems. These systems have strict requirements on safety and many of them rely on protocols that are four (or more!) decades old. He explains how the considerations in this space go far beyond just memory safety concerns.
Segment Resources:
Matthew Rogers is an Industrial Control Systems expert at CISA and the lead for Secure by Design for Operational Technology. Prior to his time at CISA, Matthew was the founding engineer at a startup for securing planes, trains, and tanks and received a PhD in building intrusion detection systems for serial control system networks.
Mike Shema
- Attention, High Voltage: Exploring the Attack Surface of the Rockwell Automation PowerMonitor 1000 | Claroty
Sharing some Industrial IOT related security research to tie in with this week's guest topic on secure design for OT systems.
In reading more about the NET+ OS, the programmer's guide has a section on one of the most wonderful tools I've come across -- the HTML-to-C compiler.
- [2504.19486] The Cost of Performance: Breaking ThreadX with Kernel Object Masquerading Attacks
In the spirit of this week's theme of secure design for OT, here's a recent research paper on ThreadX (and other RTOS) security controls. It covers three major concepts: privilege separation, memory access control, and parameter sanitization. It explains how they're related to the similar techniques found in the Linux kernel and how they differ due to RTOS architectures and constraints. It's a helpful introduction to research on these kinds of operating systems.
The paper ends, like many do, with a call for more research and "the development of automatic vulnerability detection techniques." Here's a target for anyone out there with a hobby for fuzzing, writing scanners, or (lol, sorry) spending GPU cycles on LLMs for static analysis.
ThreadX is open source and hosted on GitHub.
- Covert Web-to-App Tracking via Localhost on Android
When your threat model needs to include well-financed actors intent on persistently identifying eyeballs for ads. I doubt that Advertising Persistent Threat will catch on, but at least most of these threat actors already have a universally accepted name.
Also covered in Ars Technica.
- Evaluating fair play in a $5 billion game (pdf)
Yes, this PDF is a bit more marketing than technical write up, but it worked on me.
As someone who has played D&D for decades, I've seen first-hand how both physical and digital dice will betray you despite whatever attestations of fairness a company might give about fairness.
The larger appsec angle here is a chance to mention cryptography, cryptographically secure random number generation, and threat modeling games.
- OWASP Top 10 for Business Logic Abuse
Another list...
But perhaps one that promises to distinguish itself by expanding on the too-coarse concept of "business logic". I'm cautiously optimistic for this and hope it evolves into well-explained categories of common problems and avoids too much security jargon.
- Ukraine’s Massive Drone Attack Was Powered by Open Source Software
More opsec than appsec. But we're talking about hardware devices this week so it felt topical. If there's an appsec angle, it'd be about resilience in terms of minimizing failure modes under adverse operating conditions.
- The Illusion of Thinking: Understanding the Strengths and Limitations of Reasoning Models via the Lens of Problem Complexity
Here's some helpful commentary on the paper.
- Poison everywhere: No output from your MCP server is safe
Maybe if I just post some research that shows how prompt injection can appear from anywhere, then I won't have to keep tracking more this year.
This is a nice writeup, I'm just jaded on seeing more reminders that LLM agents and MCPs have no separation of code and data.
