Many years ago I was fortunate to have two friends who each owned a wooden sailboat. One was a 31-foot Norwegian Knarr made from African mahogany and the other was a 28-foot sloop. To earn a place on the crew I pitched in with all the work in maintaining those boats during the winter. Since […]
Category: Policy
The lack of comprehensive investigation and sharing of lessons from industrial control system incidents will continue to leave others as sitting ducks.
This past week news has surfaced about cyber-attacks directed against German industry. In particular about a suspected case of cyber espionage at ThyssenKrupp (1) (2). The announcement that a German steel maker was cyber attacked reminded me about the 2014 German Federal Government IT Department’s (BSI) report of a cyber-attack at an unidentified steel mill […]
In seeking to protect industrial control systems are we clear about what is being threatened and from what threats?
Reading the recently published Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) White Paper on Malware Trends left me somewhat unimpressed and disappointed. Whenever I read a document about cybersecurity, especially one written by an institution dealing with the security of industrial control systems, I am keen to see how the authors […]
If control systems move back to analogue can we still keep our smart phones?
I have been following the discussion about the return to analogue. Both this and the Industry 4.0 movement are new to me and have put them on my “study this more” list. Recently a colleague sent me a paper, “The Case for Simplicity in Energy Infrastructure” (1) , which has captured my imagination. It very […]
Meditations on Icelandic tomatoes and the challenge of raising cybersecurity awareness
Raising the awareness for a cybersecurity practitioner about the vulnerabilities of IT and Industrial Control Systems to today’s threats emanating from cyberspace can sometimes resemble the hopeless task of Sisyphus(1). The practitioner has the knowledge but it is not an easy thing to convey the concerns to higher management that may not be as technically […]
Seeking to Develop Exercises That Test Response Capabilities to Any Threat & Add Value
Conducting an exercise can be a very useful tool for testing policies, procedures and actions of institutions for dealing with a perceived threat scenario. It offers the advantage of providing an idea of what would really happen if the worst was to happen without doing any real damage. It can provide answers to questions without […]
Smart Technology That Isn’t So…”Smart”
During the week of July 17th, I attended and spoke at the “Business Opportunities Gateway Forum – Electrical Power and Energy” which was held in Vilnius and organized by the Society of Electrical and Electronic Engineers in Israel. I looked forward to this event for the opportunity to spend some time with engineers and talk […]
More Problems with the Risk Equation
That rant I wrote earlier got me thinking even more… The first presumption that the risk equation gets wrong is that generic risk is linear and additive. It is not. Let’s assume that someone sabotages the brakes in your car. You still have the parking brake that uses a completely separate system. You may not […]
Why ISA-99/IEC 62443 is in Trouble
Before I reveal this e-mail I sent to the ISA-99 list, one should understand the discussion leading up to my rant. The ISA-99 list had been trying to frame its discussion in terms of existing security standards. In my opinion, they’re making an enormous mistake. Industrial control system security should not be pigeonholed in to […]
When “IoT” Becomes “Expl-IoT”
Ok, so I am being sarcastic with the title — I get it. But let me ask you when you read this: are you entirely certain that the ‘Internet of Things’ — more importantly — (a new term recently introduced by several industry ‘leaders’) the ‘Industrial Internet of Things’…isn’t just another ‘sales job’? First, why […]