The Purdue Enterprise Reference Architecture (commonly known as the Purdue Model) for control systems is old. People have forgotten what it originally was about. When it was first introduced, the big concern behind the Purdue Model was keeping computing and networks deterministic so that they wouldn’t fault. Toward that end, it introduced network segmentation as […]
Category: General Topic
Looking at the educational value of a famous cyber incident
In a recent discussion on SCADASEC one contributor spoke of the educational value of Stuxnet. Yes there are several lessons that can learned from an incident that was first made public in 2010. It has been well documented from a technical point of view but perhaps some lessons can be still learned from an international […]
Complex control systems used by ships at sea are subject to the same kinds of accidents and challenges.
“This is where you talk about fleets coming to a stop. Our ships are floating SCADA systems” – Capt. Mark Hagerott (ret.), Deputy director of cybersecurity for the U.S.N. Academy (1) Many years ago I had the good fortune to have two good friends who both owned wooden (African Mahogany) sailing boats. One was a […]
Is Society Too Trusting?
I wanted to share an interesting observation from this past weekend. Though this does not relate to SCADA/ICS, it does demonstrate just how trusting people are. This past Friday, I had tagged along with my wife as we went to Wal-Mart for our weekly shopping. Following the general shopping, she wanted to go and check […]
Policies and Protocols for a Breach
It is going to happen sooner or later. Someone raises the question: Have we been hacked? It seems like a simple question. However, before we can ever get to the “it must be a hack” phase, we need to eliminate all the other likely failure modes. Some of them can be very subtle and difficult […]
Security Breach Detection
When I see most OT staff discuss ICS security, they usually begin with some networking gewgaws and tweaks. This sort of stuff is interesting the first few times going through this exercise. However, it doesn’t take long to realize that network security alone is a multi-headed hydra of a problem. The more we try and […]
Assigning Responsibility for ICS Security
Once the pain of a risk assessment is over, a few managers look at each other and decide on what changes they would like to make. Usually an IT expert comes in to install new network security hardware or someone is tasked with revising documentation; but rarely does anyone tinker with assigning responsibility. Nobody wants […]
How A Process Works
Understanding Industrial Process Control Buried among the design blue prints and volumes of handbooks, there are two documents of great significance to anyone who cares about ICS security. The names may be slightly different than what I’m calling them here, but the concept is the same. First is the Process Description. It is an overview […]
Beyond Risk Assessment
Understanding Industrial Security Before computer security was a thing, there was Industrial Security. It was primarily physical: Guards, Gates, Guns. The guards would periodically patrol the fence to ensure that there were no holes or evidence of tampering. They had guns to ward off direct attacks and to enforce policy within the plant. They would […]
Budget of ICS Security: Where is the ROI?
How Much to Budget? Many are flummoxed when working on budgets such as ICS Security. Security contains many aspects that are actually routine activities that we should be doing anyway, that actually do have an ROI. If a few minor improvements are made, it can be integrated in to security. Inventory For example, go to […]