As there is still confusion about the cyber security of process sensors and other Purdue Reference Model Level 0,1 field devices, I was asked to review NIST Special Publication (SP) 1800-32 “Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity” for applicability to legacy process sensors. The title of SP 1800-32 is […]
Category: Policy
The OT paradigm is broken technically and culturally – it must be fixed
On January 26, 2022. it became evident that the OT paradigm is broken. December 29th, the article was published that more than 3,000 smart instruments in a petrochemical facility had no passwords, even by default. January 21st, SAE/MITRE held a meeting on hardware vulnerability disclosures where IOT and ICS were not addressed including for sensors […]
Cybergs sighted: course correction required for critical infrastructure protection
“Engineer Scott, please report to the bridge immediately” Frequently heard in some 1960’s era TV shows Are we being encouraged to implement the right measures for protecting the technologies used to monitor and control physical processes found in critical infrastructure or have we hit a cyberg[1]? This is the question I asked myself when first […]
Control System Cyber Incidents Are Real and Current Prevention and Mitigation Strategies Are Not Working
There have been almost 12 million control system cyber incidents globally across all sectors resulting in more than 1,500 deaths, and more than $90 Billion USD directly damage. Our article, “Control System Cyber Incidents Are Real—and Current Prevention and Mitigation Strategies Are Not Working”, has been published in the January issue of IEEE Computer magazine. […]
[UPDATE] IT v. OT v. ICS Paradigm Framework, Revision 3
Shown below is the most recent version of the IT v. OT v. ICS paradigm framework, along with examples of recent attacks (only) since (approximately) 2010. Please note that this updated paradigm framework is to provide a frame of reference insofar as to how IT and OT v. ICS complement, yet are uniquely different, from […]
There’s more to control system cybersecurity than IT and OT networks – TSA is missing that distinction
Control system cyber incidents affecting pipelines, rail, and aviation have caused catastrophic damage resulting in multi-billion-dollar impacts and hundreds of deaths. Detecting cyberattacks against IT and OT networks can be done today. However, the same cannot be said for detecting control system cyber incidents (attacks and unintentional incidents) that occur with the cyber insecure control […]
Power grid cyber security recommendations still don’t address key grid cyber vulnerabilities
In August 2021, DNV published DNV-RP-0575, “Recommended Practice, Cyber security for power grid protection devices”. The Recommended Practice is important as it was developed based on the results of a joint research and development project with Fingrid (Finland), Stattnet SF (Norway), and Svenska Kraftnet (Sweden) and used by T&D India following the Chinese cyberattacks. The […]
The utilities are not addressing the cyber security that will keep lights on
On November 16-17, 2021 the utility industry conducted its biennial grid security exercise – GridEx VI. The exercise addressed the hybridized attacks of IT and OT networks which included ransomware as well as physical security. The lack of cybersecurity in the grid’s process sensors is a common mode vulnerability that affects both situational awareness and incident […]
Addressing Chinese-made equipment in the electric industry – a success story
Monday, November 15, 2021 a public utility commission in a hearing on a major new transmission project referenced my blog on the DNI report on Chinese-made transformers, https://www.controlglobal.com/blogs/unfettered/dni-identifies-chinese-transformers-as-cyber-vulnerable-risks-yet-doe-and-industry-ignore-the-threat/ in a question to the utility. In response, the utility stated they would not be using Chinese-made transformers in this project. I consider that to be a […]
The gaps preventing cyber securing physical infrastructures
Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. I have not used the term “critical infrastructure” as these issues apply to any physical infrastructure. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is […]