I have written about this in other places, but for ease of understanding I’ll repeat it here: Control Systems Engineers are usually among the very last people to touch a capital project before the client signs off on substantial completion. By this time, the project is almost always late, over budget, and everyone is scrambling […]
Category: General Topic
Addressing the Complexity of ICS Security
Introduction I may have given the impression in an earlier blog that the security people are the cause of the recent resurgence of interest in retro technologies of control systems. They’re certainly a symptom, but the disease is much larger than that. I have said this many times: If you want a reflection of how […]
Impressions, surprises and renewing collaborative efforts while co-moderating a tabletop exercise
This past week was quite challenging as I was just coming from a visit to a pipeline asset owner in Germany[1] and needed to switch gears and support our Centers Tabletop Exercise Coherent Resilience 2019[2]. Each experience seemed to complement the other as in the former I was immersed in the real world of an […]
Impressions from a „live-fire“ cyber exercise relevant to ICS security
Last week I participated quite by accident in a NATO „live-fire“ cyber exercise called „Locked Shields“[1]. Part of it was held in my building since we provided work space for the team from Lithuania in this on-line international military exercise. I was interested in getting inside but without an invitation I thought I would just […]
That “Something wicked this way comes” is back again.
“Really knowing is good. Not knowing, or refusing to know, is bad, or amoral, at least. You can’t act if you don’t know. Acting without knowing takes you right off the cliff.” ― Ray Bradbury, Something Wicked This Way Comes Read an article about recent evidence that Triton/Trisis or something similar to it may have […]
Regarding OT solutions coming from traditional IT security vendors
“And I didn’t even know what a P.L.C. was, so I had to Google for “What is a P.L.C.?” That, even, baseline knowledge, we just did not have.” – Security company’s Sr. software security analyst trying to decode Stuxnet in Fall of 2010. Some IT people (including me) have waded into OT waters with the […]
Learning incomplete lessons from a famous cyber-attack can lead to surprising and unpleasant results
“Almost to a person, the disaster planners concluded that the Abqaiq extralight crude complex was both the most vulnerable point of the Saudi oil system and its most spectacular target” – R. Baer, “Sleeping with the devil”. When a cyber incident is publically disclosed it is not a time to name and blame. It is […]
Why so Many Poorly Implemented Control Systems?
A common rant by many coming from the IT Security realm is that Industrial Control Systems integration is often poor and security is even worse. They’re quite right. What they probably don’t know is how it got that way. I have been hinting at this for some time and now I’m going unleash a rant […]
In Memory of an old Friend and Co-Worker
I knew Roy Ashlin from my earliest days at the Washington Suburban Sanitary Commission (WSSC). We were co-workers during the early days of the first SCADA system that WSSC installed. Roy wasn’t in the best of health. One of his legs had to be amputated just above the knee due to a blood clot. He […]
Justifying an ICS Lab
Introduction It dawned on me recently that that there is very little discussion on why an Industrial Control Systems (ICS) lab is needed or what it is used for. I am jotting down these notions in the hope that others can add to this discussion and help justify a lab to managers who may not […]