I am on several mailing lists and get news about ICS cybersecurity and bulletins. This past week I looked at another vulnerability bulletin characterized as “Exploitable remotely/low skill level to exploit” and that the exploit “could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system”. I looked further down and read […]
Category: General Topic
Lessons From the Tower of Babel
Preface and Notes I am an Engineer. This is a discussion about Engineering, not Religion, or even History. It contains references to texts having religious aspects; but those aspects are not the purpose of this discussion. If this offends you, either because it has a religious element, or because it is a secular viewpoint of […]
Virtualizing a PLC?
In the fourth season of the cartoon sitcom The Simpsons, there was an episode where the town was flim-flammed by a salesman pitching a Monorail for the town. Everyone saw it as a great idea, but nobody could say why. Marge Simpson had her doubts, and of course, she was right. It didn’t work out. […]
Back to Basics of Control
I have written about this in other places, but for ease of understanding I’ll repeat it here: Control Systems Engineers are usually among the very last people to touch a capital project before the client signs off on substantial completion. By this time, the project is almost always late, over budget, and everyone is scrambling […]
Addressing the Complexity of ICS Security
Introduction I may have given the impression in an earlier blog that the security people are the cause of the recent resurgence of interest in retro technologies of control systems. They’re certainly a symptom, but the disease is much larger than that. I have said this many times: If you want a reflection of how […]
Impressions, surprises and renewing collaborative efforts while co-moderating a tabletop exercise
This past week was quite challenging as I was just coming from a visit to a pipeline asset owner in Germany[1] and needed to switch gears and support our Centers Tabletop Exercise Coherent Resilience 2019[2]. Each experience seemed to complement the other as in the former I was immersed in the real world of an […]
Impressions from a „live-fire“ cyber exercise relevant to ICS security
Last week I participated quite by accident in a NATO „live-fire“ cyber exercise called „Locked Shields“[1]. Part of it was held in my building since we provided work space for the team from Lithuania in this on-line international military exercise. I was interested in getting inside but without an invitation I thought I would just […]
That “Something wicked this way comes” is back again.
“Really knowing is good. Not knowing, or refusing to know, is bad, or amoral, at least. You can’t act if you don’t know. Acting without knowing takes you right off the cliff.” ― Ray Bradbury, Something Wicked This Way Comes Read an article about recent evidence that Triton/Trisis or something similar to it may have […]
Regarding OT solutions coming from traditional IT security vendors
“And I didn’t even know what a P.L.C. was, so I had to Google for “What is a P.L.C.?” That, even, baseline knowledge, we just did not have.” – Security company’s Sr. software security analyst trying to decode Stuxnet in Fall of 2010. Some IT people (including me) have waded into OT waters with the […]
Learning incomplete lessons from a famous cyber-attack can lead to surprising and unpleasant results
“Almost to a person, the disaster planners concluded that the Abqaiq extralight crude complex was both the most vulnerable point of the Saudi oil system and its most spectacular target” – R. Baer, “Sleeping with the devil”. When a cyber incident is publically disclosed it is not a time to name and blame. It is […]