“And I didn’t even know what a P.L.C. was, so I had to Google for “What is a P.L.C.?” That, even, baseline knowledge, we just did not have.” – Security company’s Sr. software security analyst trying to decode Stuxnet in Fall of 2010. Some IT people (including me) have waded into OT waters with the […]
Category: General Topic
Learning incomplete lessons from a famous cyber-attack can lead to surprising and unpleasant results
“Almost to a person, the disaster planners concluded that the Abqaiq extralight crude complex was both the most vulnerable point of the Saudi oil system and its most spectacular target” – R. Baer, “Sleeping with the devil”. When a cyber incident is publically disclosed it is not a time to name and blame. It is […]
Why so Many Poorly Implemented Control Systems?
A common rant by many coming from the IT Security realm is that Industrial Control Systems integration is often poor and security is even worse. They’re quite right. What they probably don’t know is how it got that way. I have been hinting at this for some time and now I’m going unleash a rant […]
In Memory of an old Friend and Co-Worker
I knew Roy Ashlin from my earliest days at the Washington Suburban Sanitary Commission (WSSC). We were co-workers during the early days of the first SCADA system that WSSC installed. Roy wasn’t in the best of health. One of his legs had to be amputated just above the knee due to a blood clot. He […]
Justifying an ICS Lab
Introduction It dawned on me recently that that there is very little discussion on why an Industrial Control Systems (ICS) lab is needed or what it is used for. I am jotting down these notions in the hope that others can add to this discussion and help justify a lab to managers who may not […]
New definition – “cyberg”
[Updated 2033 hrs Central: I’ve made a few tweaks to the definition.] I’ve thought of ingenious ways of creating words that are both funny and meaningful. Reason for this way of thinking is the ever-growing number of cyber threats, attacks and vulnerabilities, and how little we (as a society in general) are doing anything about […]
Targeting Control and Safety Instrumented Systems (SIS): new escalation of cyber threats to critical [energy] infrastructure
“It is no use saying, ‘We are doing our best.’ You have got to succeed in doing what is necessary.” – Winston Churchill Introduction Industrial Control and Safety systems play an important part in insuring that the physical processes taking place in a manufacturing plant, power generation facility or other segment of critical infrastructure do […]
Computer Science programs may fall short in contributing to critical infrastructure protection
“There’s a great future in plastics. Think about it. Will you think about it?” – Advice given to a young man in the 1967 Film, “The Graduate” (1) In the 1967 film, “The Graduate” an older man gives insider advice to a young person struggling to decide on a future career. I was in […]
Remember why ICS happened in the first place
I’ve seen people in a project who have spared very little to defend the industrial control system. They mean well. But sadly, they’re overlooking the basic economics that drove Industrial Control Systems (ICS) in to being. Engineers designed the first control systems so that the process could be managed more easily, with fewer staff, and […]
What was that Purdue Model stuff, anyway?
The Purdue Enterprise Reference Architecture (commonly known as the Purdue Model) for control systems is old. People have forgotten what it originally was about. When it was first introduced, the big concern behind the Purdue Model was keeping computing and networks deterministic so that they wouldn’t fault. Toward that end, it introduced network segmentation as […]
