Technical on Cutaway Security

AI Gives Attackers OT Expertise on Demand. Here's What the Technique Looks Like on a Real PLC. (Part 1)

Sun, 19 Apr 2026 00:00:00 +0000

Earlier this week I said AI was closing the knowledge gap for attackers faster than the industry was ready for. This is the technique, demonstrated.

TL;DR for OT leadership: Threat actors no longer need years of industrial experience to plan targeted attacks on your operational process. They need your configuration files (logic exports, address maps, HMI project files, manufacturer reference documents) and access to a production AI tool. With those, the AI tool supplies the process expertise the attacker does not have. It reads the logic, infers the physics, maps cross-system dependencies, and produces ranked attack paths with protocol-level instructions for executing them. The industrial-process knowledge gap that used to be a natural barrier against precision attacks has collapsed. For leadership, that changes three priorities. First, configuration files are process intelligence and must be protected like safety documentation. That means backup validation, integrity checks, and inventories of every copy wherever it lives, including copies held by vendors and contractors, and copies on the IT network. Second, remote access to engineering workstations deserves the same scrutiny you apply to your highest-value production systems, because that is where the intelligence lives. Third, the investment required for an adversary to weaponize this technique is trivial. A single analyst workday and a few dollars of API cost. Assume it is in use today, and fund your teams accordingly.

AI Gives Attackers OT Expertise on Demand. Here's What the Technique Looks Like on a Real PLC. (Part 2)

Sun, 19 Apr 2026 00:00:00 +0000

Part 2. The first post showed what the technique produces. This post covers what it costs to produce, and what those numbers should change about how you fund your OT cybersecurity program.

Proxmox AI Development Lab

Sat, 11 Apr 2026 00:00:00 +0000

TL;DR
#

Setting up a proper Windows testing environment for ICS/OT security tool development goes beyond spinning up a single VM. You need multiple Windows versions, from legacy Windows 7 through Server 2022, templated, sysprepped, and network-isolated so you can rapidly deploy clean test systems and tear them down when you’re done. This post summarizes my experience building a Proxmox-based development lab with automated VM management for testing Sysmon configurations and security scripts across every supported Windows version. The complete setup guide is available as a PDF download. We document these projects to both remember what we have done and also help others with similar projects.

Radio Expert Staged the Flipper Zero Meter Attack?

Wed, 14 Jun 2023 00:00:00 +0000

Initially, I ignored the YouTube video, Flipper Zero attacking Smart Power Meters. I watched it. I thought it was “interesting.” But, I did not want to spend a lot of time on it. After all, it has been over ten years since my Black Hat / DEFCON 20 talk, Looking into the Eye of the Meter. I do not have the time, resources, or permission to do any more work on smart meters. So, I figured I would leave it to others to address the findings in this video and the person involved.

Learning Ghidra Basics Analyzing Firmware

Fri, 06 Mar 2020 00:00:00 +0000

Introduction
#

It has been a while since I have analyzed any program or firmware. The majority of my previous experiences were mostly analyzing Capture The Flag (CTF) binaries with the help and instruction from my good friend Matt Carpenter of Grimm Security. While extremely helpful, I always knew I was looking for a vulnerability that should be easy to find since I mainly stuck with the easy to medium difficulty challenges. Analyzing actual firmware for a vulnerability is much different. While most programs “should” have vulnerabilities, there is no guarantee of a flag at the end, like in CTF binaries, that can be verified by submitting a string of bytes for points.