It is going to happen sooner or later. Someone raises the question: Have we been hacked? It seems like a simple question. However, before we can ever get to the “it must be a hack” phase, we need to eliminate all the other likely failure modes. Some of them can be very subtle and difficult […]

When I see most OT staff discuss ICS security, they usually begin with some networking gewgaws and tweaks. This sort of stuff is interesting the first few times going through this exercise. However, it doesn’t take long to realize that network security alone is a multi-headed hydra of a problem. The more we try and […]

Once the pain of a risk assessment is over, a few managers look at each other and decide on what changes they would like to make. Usually an IT expert comes in to install new network security hardware or someone is tasked with revising documentation; but rarely does anyone tinker with assigning responsibility. Nobody wants […]

Understanding Industrial Process Control Buried among the design blue prints and volumes of handbooks, there are two documents of great significance to anyone who cares about ICS security. The names may be slightly different than what I’m calling them here, but the concept is the same. First is the Process Description. It is an overview […]

Understanding Industrial Security Before computer security was a thing, there was Industrial Security. It was primarily physical: Guards, Gates, Guns. The guards would periodically patrol the fence to ensure that there were no holes or evidence of tampering. They had guns to ward off direct attacks and to enforce policy within the plant. They would […]

How Much to Budget? Many are flummoxed when working on budgets such as ICS Security. Security contains many aspects that are actually routine activities that we should be doing anyway, that actually do have an ROI. If a few minor improvements are made, it can be integrated in to security. Inventory For example, go to […]

The problem with discussing risk on a SCADA/ICS network, especially the way that most security guidelines describe it, is that it isn’t a linear function. In other words, the risk of A happening, B happening, and C happening is not A times B times C. That might be true with safety, but it is definitely […]

On June 7th the European People’s Party organized a public hearing on Cybercrime and Cybersecurity at the European Parliament in Brussels, Belgium (1) . It was a great honor to be invited as a speaker on Cybersecurity and Critical Energy Infrastructure for the second panel discussion covering the theme of “Cybersecurity: improving European industry”. I […]

“But as soon as we find out that it’s state-sponsored, or there may be state actors involved, we back away from that.” – Interpol digital crime centre director Sanjay Virmani Seems that the WannaCry incident should appear on anyone’s short list of notable cyber incidents of 2017 (so far). Some reports in the press have […]

Let’s fast forward in to the near future. The network configuration is well documented. The hashes of all code are known and recorded. Firewalls have been installed in appropriate places. The network traffic rates and patterns are known and monitored.  Physical LAN port statuses are monitored. In other words the control systems integrity is monitored […]