“It was the best of times it was the worst of times, it was the age of wisdom, it was the age of foolishness” – Charles Dickens, – Tale of Two Cities Never before have I felt so strongly of the existence of separate worlds of understanding between IT and ICS as I have had […]
Category: Critical Infrastructure
Good news for ICS protection: ISA providing new ISA/IEC 62443 based industrial cybersecurity training
The great Chinese military strategist Sun Tzu in his book the “Art of War” stated that (to paraphrase) “if you know yourself and the enemy, you will prevail in every battle”. This saying is applicable to the protection of industrial control systems that comprise the technical foundation for today’s critical infrastructure. One of the long-term […]
Not for navigation, information provided may not represent the true position
Many years ago I was fortunate to have two friends who each owned a wooden sailboat. One was a 31-foot Norwegian Knarr made from African mahogany and the other was a 28-foot sloop. To earn a place on the crew I pitched in with all the work in maintaining those boats during the winter. Since […]
The lack of comprehensive investigation and sharing of lessons from industrial control system incidents will continue to leave others as sitting ducks.
This past week news has surfaced about cyber-attacks directed against German industry. In particular about a suspected case of cyber espionage at ThyssenKrupp (1) (2). The announcement that a German steel maker was cyber attacked reminded me about the 2014 German Federal Government IT Department’s (BSI) report of a cyber-attack at an unidentified steel mill […]
Simulations don’t have to be expensive or labor intensive in order to explain key concepts about IT and ICS security
It can be hard to understand amidst all the IT biased (towards Confidentiality, Integrity and Availability of information) cybersecurity hoopla how today’s IT threats emanating from cyberspace can affect industrial control systems. IT security questions can be hard to understand for the ICS practitioner (who leans towards different security priorities of Safety, Availability, Integrity and […]
In seeking to protect industrial control systems are we clear about what is being threatened and from what threats?
Reading the recently published Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) White Paper on Malware Trends left me somewhat unimpressed and disappointed. Whenever I read a document about cybersecurity, especially one written by an institution dealing with the security of industrial control systems, I am keen to see how the authors […]
SCADA Radio follies
I maintain several SCADA masters with licensed MAS radios. The older radios had served us long and well. However, we’re starting to see failures on the back side of the classic bathtub curve. Two days ago, we installed a new radio at one of our smaller master sites. This was our first swap-out of a […]
If control systems move back to analogue can we still keep our smart phones?
I have been following the discussion about the return to analogue. Both this and the Industry 4.0 movement are new to me and have put them on my “study this more” list. Recently a colleague sent me a paper, “The Case for Simplicity in Energy Infrastructure” (1) , which has captured my imagination. It very […]
Security Wrongs and Rights
I’m noticing a disturbing trend of late: Some end-users are actively trying to impose security from outside staff upon operations. In fact, some vendors are suggesting that this is a good thing to do. Sadly, imposing security on others is a doomed effort. They’re going to fail badly because they’re not thinking ahead of the […]
Meditations on Icelandic tomatoes and the challenge of raising cybersecurity awareness
Raising the awareness for a cybersecurity practitioner about the vulnerabilities of IT and Industrial Control Systems to today’s threats emanating from cyberspace can sometimes resemble the hopeless task of Sisyphus(1). The practitioner has the knowledge but it is not an easy thing to convey the concerns to higher management that may not be as technically […]