Error Code

The surge in renewables and decentralized power is reshaping grids—and exposing them to new operational and cyber risks. In this episode, Rafael Narezzi, Co-Founder & CEO of Centrii, explains how rising connectivity widens the attack surface, leaving energy infrastructure increasingly vulnerable.

Kerberos, a decades-old authentication protocol, creates hidden risks in OT environments. Dor Segal, security researcher team lead at Silverfort, discusses delegation abuse, cipher downgrade attacks, and person-in-the-middle threats—highlighting why legacy encryption, patching challenges, and operational constraints make identity security critical in industrial networks.

Rising software complexity in safety-critical industries is forcing cybersecurity requirements on systems previously not thought about before. David Sequino, CEO of OmniTrust (formerly ISS), talks about the need to secure digital certificates on life critical systems like cars and planes and the challenges in doing so.

Many devices on modern networks aren’t what their labels claim. This episode, Rob King, Director of Applied Security Research at runZero, explores white-labeled surveillance and IoT hardware, why some vendors are banned by governments, and how hidden risks can spread across enterprises. Discovery, device fingerprinting, and protocol analysis reveal what’s really connected—and why knowing your true inventory is now essential for security, compliance, and trust.

The growing importance of OT security, highlighting overlooked risks in critical infrastructure, legacy systems, and supply chains. Through real-world examples, Eric Durr, Chief Product Officer at Tenable, shows why OT security differs from IT, emphasizing visibility, resilience, and risk prioritization to protect safety, operations, and business continuity.

At Black Hat USA 2025, Dan Berte, IoT Director at Bitdefender, discusses the successes and failures of ride-sharing autonomous vehicles in San Francisco, and how these lessons might help design better IoT integrations of cities and AVs in the future.

Do you really know what’s on your network? A lot of OT devices are white labeled, meaning they have a brand name but under the hood they’re made by someone else. Sean Tufts, Field CTO for Claroty, explains how his team is using AI to sift through all the available data and build a cyber physical library that starts to add specificity to remediation operations, and improve cyber physical security overall

Diversity in healthcare devices complicates segmentation, security controls, and zero-trust approaches. New certifications aim to help. Bob Lyle, CRO of Medcrypt, identifies how layered defenses, rigorous cybersecurity requirements for new devices, continuous monitoring, and dark-web credential surveillance can reduce risk.

At Black Hat USA 2025, Dan Berte, IoT Director at Bitdefender, revisits his talk last year about hacking solar panels in light of the blackout in Spain and Portugal. While the Iberian Peninsula blackout wasn’t an attack, it shows how sensitive these systems are when mixing old and new technologies, and how living off the land attacks might someday take advantage of that.

At Black Hat USA 2025, Noam Moshe from Claroty’s Team 82 revealed several vulnerabilities in Axis Communications’ IP camera systems, including a deserialization flaw that could let attackers run remote code. The team worked with Axis to patch the issues. Moshe says that this case highlights the broader security risks still common in the billions of common IoT devices in the world today.

Ad fraud driven by both humans and AI agents require new signals beyond traditional bot-vs-human checks. Gavin Reid and Lindsay Kaye from HUMAN Security discuss how monetization includes ad and click fraud (peach pit), selling residential proxy access, and operating botnets for hire and preventing harm requires dismantling criminal infrastructure and collaboration across industry, since many infected devices cannot be practically cleansed by end users.

Certification exams increasingly reflect the IT OT convergence, acknowledging that many protections apply across both domains requiring holistic security approaches rather than siloed solutions. John France, CISO at ISC2, explains that as threats grow more complex, certifications, continuous learning, and diverse skills are essential to building a resilient global workforce.

The EU’s new Cyber Resilience Act (CRA) sets higher security requirements but leaves many technical details undecided. This puts pressure on vendors of connected or software-based products to either redesign, retrofit, or withdraw from the market. According to Roland Marx, Senior Product Manager at Swissbit, the CRA’s three-year rollout is meant to give companies time to adapt while regulators finalize the specifics.

Healthcare organizations are prone to the same weaknesses that any other office or manufacturing site may have. Sonu Shankar, Chief Product Officer at Phosphorus Cybersecurity, explains how the devices you might not suspect might be the ones to bring down your organization if they’re not secured. That includes the printer used to print patient wristbands.

Quantum computers could break today’s encryption, leaving many OT systems—which often lack encryption entirely—at even greater risk. Dave Krauthamer, Field CTO at QuSecure, warns that nation-state attackers may target critical infrastructure like power, water, and food supplies first, making it urgent to adopt quantum-resistant cryptography across both IT and OT systems.

This is a story where one maritime company found multiple vendors maintaining unrestricted VPN access to systems across a cruise vessel, exposing safety-critical functions to potential compromise. Bill Moore, CEO of Xona Systems, returns to Error Code to talk about how that company and others, such as data center operators, are recognizing their latent multiple-vendor OT exposure and learning how to address it today.

Operational technology (OT) systems are no longer limited to nation-states; criminal groups and hacktivists now actively target these systems, often driven by financial or ideological motives. Kurt Gaudette, Vice President of Intelligence and Services at Dragos, explains why these systems might not even be the primary targets.

Many organizations spend valuable security resources fixing vulnerabilities in code that never actually runs—an inefficient and often unnecessary effort. Jeff Williams, CTO and founder at Contrast Security, says that 62% of open source libraries included in software are never even loaded into memory, let alone executed. This means only 38% of libraries are typically active and worth prioritizing.

Critical Infrastructure software lacks the strict liability standards found in industries like automotive manufacturing, leading to minimal accountability for insecure products when they get exploited. Alex Santos, CEO of Fortress Information Security, explains how they’re typically hired by buyers of ICS equipment—such as utilities—to assess and mitigate supply chain risks, including working with OEMs to improve security.

While cybersecurity threats targeting critical infrastructure, particularly focusing on the vulnerabilities of operational technology (OT) and industrial control systems (ICS).mostly originate on the business or IT side, there’s increasing concern about attacks crossing into OT, which could result in catastrophic consequences, especially in centralized systems like utilities. Michael Welch, managing director from MorganFranklin Cyber, discusses how Volt Typhoon and other attacks are living off the land, and lying in wait.

This is a story about a Chief Hacking Officer who draws on his expertise in physical and virtual security assessments—along with some intuitive AI-driven coding—to safeguard Operational Technology. Colin Murphy of Frenos and Mitnick Security talks about how some of his early assessment work with Kevin Mitnick is helping him with OT security today.

ROI is always a tricky subject in cybersecurity. If you’re paying millions of dollars in securing your OT networks, you’d want to be able to show that it was worth it. Andrew Hural of UnderDefense talks about the need for continuous vigilance, risk management, and proactive defense, acknowledging both the human and technological elements in cybersecurity and how just because something didn’t happen doesn’t mean that it didn’t.

Zero Trust is a security model based on default-deny policies and fine-grained access control governed by identity, authentication, and contextual signals. For RSAC 2025, John Kindervag, Chief Evangelist of Illumio and the creator of Zero Trust, talks about introducing a "protect surface" into legacy OT systems —isolating critical data, applications, assets, or services into secure zones for targeted Zero Trust implementation.

Solar power systems are rapidly becoming essential elements of power grids throughout the world, especially in the US and EU. However, cybersecurity for these systems is often an afterthought, creating a growing risk to grid stability and availability. Daniel de Santos, Head of Research at Forescout, talks about his recent research into vulnerabilities associated with solar panel investors, how they might affect the power grid or the end-user, and what we can do about it.

Gone are the days when you could repair your own car. Even ICE cars have more electronics than ever before. Alexander Pick is an independent hardware hacker specializing in automotive systems. He says if you start off small, like looking at ECUs, there’s a lot of great research yet to be done by both hobbyists and professionals alike.

It’s becoming easier for criminals to use counterfeit or altered chips in common office products, such as printer toner cartridges, with the aim of espionage or simple financial gain. Tony Moor, Senior Director Of Silicon Lab Services For IOActive, explains how the hacking embedded silicon within common objects in our day to day lives is becoming more common, and what the consequences of this lack of security might mean.

Embedded devices need basic security measures like multi-factor authentication and unique credentials to reduce vulnerabilities and protect against cyber threats. Mauritz Botha, co-founder and CTO of XiO Inc., explains that cloud-based SCADA can update old systems and provide the visibility that’s currently missing.

As industrial enterprises lurch toward digital transformation and Industry 4.0, a new report looks at the security OT systems and finds it wanting. Grant Geyer, the Chief Strategy Officer for Claroty, talks about the findings from over one million devices in the field today, and what industries must do now to secure them.

I recently rode in a Waymo, Google’s self-driving taxi service, and it was fantastic. What if we took that vehicle off the safe roads of California and put it in a warzone like Ukraine? If it was captured, could the enemy get its data or its algorithms? Brent Hansen, Chief Growth Officer at Cigent, talks about the data risks associated with autonomous vehicles and remote servers, and how data security is essential in these in the field locations.

Imagine your best worst day during a cyber attack. Can you switch to manual systems in case of a failure? Has your team practiced for that? Dave Gunter, OT Cybersecurity Director at Armexa, discusses how a water and waste water utility in Kansas responded correctly to a cyberattack in 2024 by falling back to manual and issuing clear, and concise press releases to assure the public that their water was safe to drink.

This is the story of how the security of OT devices in the field can be modernized virtual isolation in the cloud, adding both authentication and encryption into the mix. Bill Moore, founder and CEO of Xona, explains how you can virtualize the OT network and interact with it, adding 2FA and encryption to legacy systems already in the field.

This is the story of the secret life of cellular chips and why we need to mitigate against the unintended access they provide. Deral Heiland, Principal Security Research for IoT at Rapid 7, describes a research project he presented at the IoT Village at DEF CON 32 where they compiled AT command manuals from various vendors, discovering unexpected functionalities, such as internal web services.

When we think of IoT, we first think of our smart light bulbs, our smart TVs, our smart baby monitors. However, we don't typically associate IoT with high-performance race cars, and yet they collect terabytes of data each race. Austin Allen, Director of Solutions Architecture at Airlock Digital, discusses the growing presence of smart devices and the responsibility of securing them—should it be the developers who write the code, or the individuals who implement it?

What would happen if your GPS signal were jammed? It would impact more than just navigation – you'd also lose access to financial data and power. Joe Marshall, Senior IoT Strategist and Threat Researcher at Cisco Talos, discusses an innovative solution to maintain the country's power grid operations in the event of GPS jamming, whether it's a precautionary measure or an act of war.

Cybercriminal tactics against ICS include direct threats against individuals for MFA credentials, sometimes escalating to physical violence if they won’t share. Jim Coyle, US Public Sector CTO for Lookout, warns about the increasing use of Android in critical Industrial Control Systems (ICS), such as HVAC systems, and how stealing MFA tokens from mobile devices could affect critical services like healthcare, finance, and water supply, depending on the goals of the attackers.

If smart buildings are vulnerable to hacking, what about smart offices? Even devices like printers and lighting systems could give an attacker a way in. John Terrill, CSO at Phosphorus, recalls a moment while working at a hedge fund when he found himself in a room filled with priceless art. He realized that the security cameras safeguarding these artworks were operating on outdated software, potentially containing known vulnerabilities.

If you are in IT, you are probably not thinking about the risks associated with the Otis Elevator or the Coke machine. Maybe you should. Chester Wisnieski, the director and global field CTO at Sophos, points out that IoT devices, big and small, create an outsized threat to any organization. And that’s why IoT vendors need to secure these devices, even if they only “phone home” for more Coke. If they’re on your network, they need to be secured.

Political hacktivism once mainly focused on website defacement. Now it has shifted to targeting physical devices, affecting critical infrastructure such as water treatment plants. At Black Hat USA 2024, Noam Moshe from Claroty highlighted how the HMIs in PLC devices from Israeli manufacturers may be susceptible to political attacks by nation-state actors using unknown vulnerabilities in the PComm protocol.

What if you could build your own embedded security tools, glitching devices for a fraction of the cost that you might expect. Like having a $150,000 laser setup for less than $500. A talk at Black Hat USA 2024 says you can. Sam Beaumont (Panth13r), Director of Transportation, mobility and cyber physical systems at NetSPI, and Larry Trowell (patch), Director of hardware embedded systems at NetSPI, along with a team of others, say that you can. Their talk, Laser Beams & Light Streams: Letting Hackers Go Pew Pew, Building Affordable Light-Based Hardware Security Tooling, should be a wake up call for all IoT and OT device vendors who should defend our IoT and OT devices, even against the unlikely attacks. Because soon enough, those attacks will become likely.

Too few vulnerabilities in industrial control systems (ICS) are assigned CVEs because of client non-disclosure agreements. This results in repeatedly discovering the same vulnerabilities for different clients, especially in critical infrastructure. Don C. Weber from IOActive shares his experiences as an ICS security professional and suggests improvements, including following the SANS best practices for ICS security..

At DEF CON 32, in the ICS village, researchers disclosed vulnerabilities in home and commercial solar panel systems that could potentially disrupt the grid. Dan Berte, Director of IoT security for Bitdefender, discusses his more than a decade in IoT, how the vendor maturity often isn’t there for our smart TVs or even for our solar panels, so reporting vulnerabilities sometimes goes nowhere. That doesn’t stop defenders like Dan, who, along with his team, work hard to change and to educate the industry.

The resources available at small utilities are scarce, and that’s a big problem because small water, gas, and electric facilities are increasingly under attack. Dawn Capelli of Dragos is the Director of OT-CERT, an independent organization that provides free resources to educate and even protect small and medium sized utilities from attack.

For the last twenty years we’ve invested in software security without parallel development in firmware security. Why is that? Tom Pace, co-founder and CEO of NetRise, returns to Error Code to discuss the need for firmware software bills of materials, and why Zero Trust is a great idea yet so poorly implemented. As in Episode 30, Tom is a straight shooter, imparting necessary truth bombs about our industry. Fortunately he’s optimistic about our future.

That camera above your head might not seem like a good foreign target, yet in the Ukraine there’s evidence of Russian-backed hackers passively counting the number of foreign aid workers at the local train stations. Andrew Hural of UnderDefense talks about the need to secure everything around a person, everything around an organization, and everything around a nation because every one can be a target.

A critical skills gap in Operational Technology security could have a real effect on your water supply and other areas of the critical infrastructures. Christopher Walcutt from DirectDefense explains how the IT OT convergence, and the lack of understanding of what OT systems are, might be contributing to the spate of water systems attacks in 2024.