That rant I wrote earlier got me thinking even more… The first presumption that the risk equation gets wrong is that generic risk is linear and additive. It is not. Let’s assume that someone sabotages the brakes in your car. You still have the parking brake that uses a completely separate system. You may not […]
Category: Policy
Why ISA-99/IEC 62443 is in Trouble
Before I reveal this e-mail I sent to the ISA-99 list, one should understand the discussion leading up to my rant. The ISA-99 list had been trying to frame its discussion in terms of existing security standards. In my opinion, they’re making an enormous mistake. Industrial control system security should not be pigeonholed in to […]
When “IoT” Becomes “Expl-IoT”
Ok, so I am being sarcastic with the title — I get it. But let me ask you when you read this: are you entirely certain that the ‘Internet of Things’ — more importantly — (a new term recently introduced by several industry ‘leaders’) the ‘Industrial Internet of Things’…isn’t just another ‘sales job’? First, why […]
Why the Infatuation With Risk?
At a recent meeting of ICS Security “experts,” the discussion turned to risk-assessment standards. I posed the question: Why are are we so infatuated with the Risk Equation when it offers so little guidance. “Why not use consequences and defenses?” I asked. “Isn’t that how most Engineers and Operators think?” “Risk is what they understand […]