What would Sun Tzu and Louis Pasteur say about today’s industrial cybersecurity?

Have been following the discussions on industrial cybersecurity, convergence, network vs device security, and IT vs OT vs ICS[2]. Some of the points of view differ greatly on what needs to be done.  This lack of consensus indicates that something may be wrong with our assumptions and our approach.   A disturbing lack progress being […]

A critical look at the CSIS Report “Dismissing Cyber Catastrophe”

Jim Lewis is a Sr VP at the Center for Strategic and International Studies (CSIS). He wrote the article “Dismissing Cyber Catastrophe” dated August 17, 2020 – https://www.csis.org/analysis/dismissing-cyber-catastrophe?utm_source=CSIS+All&utm_campaign=e4d5b3e04c-EMAIL_CAMPAIGN_2018_11_08_05_05_COPY_01&utm_medium=email&utm_term=0_f326fc46b6-e4d5b3e04c-221758737 . In ‘Dismissing Cyber Catastrophe,’ Jim argues that concerns about industrial cyber security are overblown and the risk is exaggerated. Because the view that ‘cyber catastrophes’ are […]

Perhaps one step backward in building CIP capacity?

“The definition of insanity is doing the same thing over and over again and expecting a different result                                                                                                – Attributed to A. Einstein A recent post titled “Regarding (AA20-049A) Ransomware Impacting Pipeline Operations”   on SCADASEC pointed out the FUD promoting aspects of an alert published by  The Cybersecurity and Infrastructure Security Agency (CISA) at […]

Targeting Control and Safety Instrumented Systems (SIS): new escalation of cyber threats to critical [energy] infrastructure

“It is no use saying, ‘We are doing our best.’ You have got to succeed in doing what is necessary.” – Winston Churchill Introduction Industrial Control and Safety systems play an important part in insuring that the physical processes taking place in a manufacturing plant, power generation facility or other segment of critical infrastructure do […]

Attribution: An impossible/inconvenient task or a way to get an APT off one’s back?

Recently on the SCADASEC list there have been discussions of reports of cyber attacks on the critical infrastructures of other states with the naming of the state that is responsibe. Some say attribution of responsibility is far less important than actually investigating what happened and applying the lessons learned where appropriate. This latter approach is […]