The impacts of control system incidents are obvious, but their causes are usually less clear, especially when they might be cyber-related. However, control system cyber incidents have impacted the behavior and operation of ships as well as other critical infrastructures. GPS hacks have altered ships’ positions and displays. Some Chinese critical infrastructure such as port […]
Water Utility Cybersecurity, EPA & CISA, and You
Before I begin, allow me to cite what we’re talking about: https://www.epa.gov/system/files/documents/2024-03/epa-apnsa-letter-to-governors_03182024.pdf The Environmental Protection Agency (EPA), and Cybersecurity and Infrastructure Security Agency (CISA), under direction from the Biden Administration, are pushing FUD (Fear, Uncertainty, and Doubt) to encourage cybersecurity with most water utilities. Yes, water utilities do need to improve their cybersecurity stance. However, […]
Exploiting remote access – the ultimate living off the land attack
Remote access to control systems is necessary for equipment reliability and availability. Securing remote access is a very tough problem because it is a double-edged sword providing needed reliability improvement and a potential vehicle for Living-off-the-Land attacks. Cyber security technologies exist to secure remote access from external intruders. However, cyber security programs are not adequately […]
Learn to Say No
When I first joined the water utility I discovered that my division chief, we’ll call him Ed, constantly projected himself as a crusty authoritarian figure. Every time someone would approach him with some “new idea,” perhaps even something he’d like to do, his first answer was almost always a resounding “No.” And unless they were […]
The US electric industry is not responding to cyber-vulnerable Chinese equipment
The electric grid is interconnected. The interconnectivity goes not only between utilities but also between facilities connected to the grid. The Chinese (and other threat actors) are exploiting this cyber security gap. Chinese transformers, cranes, inverters, process sensors, etc. are comparably well-made and inexpensive leading to their continued use in US critical infrastructures. Many of […]
False process sensor data can be catastrophic, but are not adequately addressed
The impetus for this blog was twofold: first, a Concordia University study dated January 24, 2024, which concluded that tampering with the electric system sensors could cause grid fluctuations, and second, my meeting with the engineer who scientifically documented that the radiation monitoring system outside the Chernobyl nuclear plant was compromised with false data. The […]
Getting Into OT
With all the public emphasis on infrastructure, many are asking how to “break into” Operational Technology (OT). It isn’t hard. But there are a few caveats. This blog is my experience and perceptions. There are others, so don’t take what I say as the only reality. There is a widespread perception that field work in […]
IEEE Computer article on identifying control system cyber incidents
The article “There Is No Chilling When Your Control System Cybersecurity Is Unfulfilling” is in the December 2023 issue of IEEE Computer magazine. The article discusses the importance of identifying control system incidents as being cyber-related as the identification is the starting point for cyber incident response programs. The example in the article is the shutdown of […]
Whose list of top cybersecurity events of 2023 is worth using?
Happy New Year everyone. As 2023 came to an end several “top 10” year-end cybersecurity lists were published by various organizations. One of them was by ESET a security company based in Slovakia that has provided much useful analysis and news about cybersecurity in the past. Its website claims it has “experienced researchers with in-depth […]
Why is CISA not addressing the PLCs in the Unitronics PLC attack?
The Unitronics PLC hack is an Iranian IRGC supply chain attack against multiple US critical infrastructures on US soil (it has also affected international users) targeting the Israeli-made Unitronics PLCs through its customers. The CISA response has been less than satisfactory as this was an attack against the PLCs whereas CISA’s recommendations only addressed IT […]