If you can’t trust what you measure, there is no cyber security, resiliency, process safety, productivity, or predictive maintenance in any critical infrastructure or cyber-physical system. Process sensors have no cyber security or authentication yet use remote access extensively as documented in the process sensor vendors’ specifications. ISA and NIST have identified there is no cyber […]
Category: Critical Infrastructure
Surface transportation is cyber vulnerable and control system issues are not adequately addressed
May 25, 2023, I gave a presentation to the American Public Transportation Association’s (APTA) Enterprise Cybersecurity Working Group (ECSWG) and Control and Communications Security Working Group (CCSWG) teleconference on “Undetected ICS Cyber Incidents”. The general status was the same as for oil/gas, electric, nuclear power, water/wastewater, medical devices, etc. That is, the focus being on […]
“Chattinn Cyber” with Marsh’s Marc Schein on critical infrastructure cyber security
Marc Schein is the Northeast Cyber Champion for Marsh & McLennan (insurance). Marc has spoken before members of Congress and leaders in the Aviation Industry on Capitol Hill regarding the issues and costs of cyber breaches, and how to properly transfer risk to ensure that an organization or business is properly protected from what might […]
How can you do incident response if you can’t recognize an incident?
Cyber incident response starts with the assumption that you can recognize a control system cyber-related event as being a cyber event. Globally, there have been more than 17 million control system cyber incidents that have killed more than 34,000 yet most of the incidents were not identified as being cyber-related. There is no training for […]
Do You Really Need Remote Access?
Imagine an airliner where the pilot and copilot aren’t communicating with each other. They both know roughly where they’re going, and what needs to get done, but they’re not coordinating. They will both do some tasks and they will assume the other is handling the other tasks. How long do you think it will be […]
Florida city water cyber incident allegedly caused by employee error
The Oldsmar, Florida, water treatment plant was the target of a cyberattack in 2021, which raised concerns about the cyber vulnerability of crucial infrastructure. Reports at the time claimed that a worker at the company witnessed his computer being accessed and managed remotely. The amount of sodium hydroxide, also known as lye, in the water […]
NERC Cyber Security Incident Reporting Is Obscuring the Truth
The electric industry is recognized as the most critical of critical infrastructures. Consequently, one would expect that incident reporting would be important and trusted. Unfortunately, this is not occurring as can be seen by the discrepancies between the DOE OE-417 reporting and the NERC submittal to FERC. It is evident the DOE and NERC CIP […]
The National Cybersecurity Strategy fails to address fundamental control system and critical infrastructure issues
In May 1998, Presidential Decision Directive (PDD) 63 mandated the cyber security of critical infrastructures be implemented by May 2003. Twenty years and multiple PDDs and Presidential Executive Orders later, the government agencies responsible for securing the critical infrastructures are still failing to adequately address the issues that can cripple our country and its critical […]
Regulatory gaps drive systemic under-reporting and poor situational awareness
Control system cyber impacts are visible – lights go out, pipes leak or break, trains crash, planes crash, etc. However, it is often not evident that cyber played a role. Many times, sophisticated cyber attackers will make a cyberattack look like an equipment malfunction. There have been cyberattacks by Russia and China on US grids […]
The need for correct, authenticated pressure measurements for reliability, safety, and cyber security
Correct pressure and other process sensor measurements are necessary for reliability, product quality, maintenance, process safety, and cyber security. These devices can be incorrect for unintentional or malicious reasons. January 13, 2023, Abhishek Sharma published the ISA blog – “The wisdom of correct pressure measurements”. It is a good blog but doesn’t address all of […]