Concepts Have you ever been in a meeting where everyone says the same words but you later discover that they were thinking different things? That’s what concerns me about the concept of Zones and Conduits. Security people hear the concept and they think it is related to the Purdue Enterprise Reference Architecture1 (the so-called “Purdue […]
Will the next administration finally address control system cyber security?
Addressing critical infrastructure (control system) cyber security started with the issuance of PDD 63 by President Bill Clinton in 1998. According to PDD63, the critical infrastructures were to be cyber secure within five years of issuance of the PDD – 2003. Yet control system cyber security still has not been adequately addressed by the intervening […]
Critical infrastructures cannot be secured because network security and engineering won’t work together
There continues to be a gap between the engineering organizations in end-users and control system suppliers responsible for reliability, functionality, and safety on the one hand, and the network security organizations responsible for network security on the other. Control systems are neither just engineering nor network security but a combination of both: modern networking technologies […]
Industrial Cybersecurity “Gatekeeping”
Many in IT, perhaps having been disenchanted with what should be exciting and interesting work, have noticed the scene in OT and may be thinking of making the leap from IT to OT. Speaking as an engineer of control systems, we’re happy to have you. But we do have some concerns. Yes, the pictures you […]
We need to address APT threats. Oh, by the way what is an APT?
I was working on the final edits of a project on incident management when I decided for the purpose of improving clarity for the reader to insert a footnote for the term APT or Advanced Persistent Threat. I felt I should not assume that the readers of the document would know what an APT is. […]
The need to identify control system incidents as being cyber-related
Control system cyber incidents are different from network cyber incidents because you can’t hide their impact: plane, trains, and ships crash, pipeline rupture, power and water are lost, etc. What is not identified is that many of these incidents have been cyber-related, and this failure to recognize them is because of a lack of appropriate […]
Ford recall on a control system cyber issue
These, and other types of “subtle” control system cyber issues that do not involve Internet Protocol networks demonstrate that identifying control system incidents as being cyber-related often is not obvious. NHTSA recalled 144,500 Ford Mavericks over concerns that the rearview camera display could show frozen images while backing up. November 14, 2024, NHTSA announced that […]
CISA’s new International Strategic Plan: will it improve the security of the world’s C.I.?
Solar power system inverter error code that indicates that the voltage on the grid is too high. The security of power grids even if they have been attacked from cyberspace by hostile actors is not even mentioned in CISA’s plan to protect critical “Physical” infrastructure. (photo by the author) The US Cybersecurity and Infrastructure Security […]
Network security and engineering are still not on the same page, not even the same book
There is a continuing culture chasm between cybersecurity managed by the CISO and engineering and operations personnel responsible for OT. Part of the gap stems from many CISOs’ and their teams lack of experience and understanding of control /protection systems and devices and engineering and operations requirements and work processes. Engineering and Operations have a […]
Speaking at the American Petroleum Institute (API) Cybersecurity Conference
I will be speaking at the 19th Annual API Cybersecurity Conference November 12, 2024. The other speakers in our OT/ICS session are Saltanat Mashirova from Honeywell and Jonathan Boyett from Phillips 66. My presentation will be “Process Sensor Monitoring for Cyber Security, Reliability, and Safety”. Seven years ago, I gave a 4-hour short course on […]