Applying IP network guidance has harmed control system field devices and legacy control systems

I continue to be very concerned that both private sector and public sector policy-making organizations (square peg) simply don’t have the control system cyber security technical depth to be making decisions about cybersecurity of control systems (round hole). There have been many documented cases where applying IP network mitigations has caused very significant problems to […]

Many OT cyber security experts don’t understand the systems they are trying to secure – the square peg in the round hole

There is an old saying about not forcing a square peg into a round hole. The square peg is IT and OT network security. The round hole is the insecure ICS field device. On September 8, 2022, RSA held the RSAC 365 Virtual Seminar & Innovation Showcase: OT & ICS Security. The session was focused on […]

Windows-based HMIs are too slow for monitoring process sensors or plant equipment anomalies

Process sensors are the input for predictive maintenance, digital transformation, Industry4.0, smart manufacturing, smart grid, etc. The majority of OT networks use Windows-based HMIs even though Windows was not designed to be an engineering data acquisition tool. In a recent plant test, the Windows-based HMI was not effective and, in fact, provided misleading information on […]

Critical infrastructure cyber security is broken – process sensors continue to be ignored

While no one would argue that network security isn’t important, it’s also important that the basic process sensor data that cross the OT network not be overlooked. Process sensors are necessary input for reliability, availability, safety, predictive maintenance, product quality, and cyber security. Yet process sensors have no cyber security and are connected to the […]

You can’t protect the unprotectable – our critical infrastructures

Locking the door doesn’t work where there is no door. Unintentional cyber accidents or malicious cyberattacks can cause kinetic damage and there are no cyber forensics, training, or cyber security requirements for addressing these incidents. The TSA Pipeline cyber security requirements (and corresponding requirements for other infrastructure sectors) need to be more control system-focused. That […]

Regarding Dr. Aunshul Rege and her Critical Infrastructure Ransomware Dataset Repository

It has come to my attention of something that many researchers dread – someone else stealing *your* data. Though her dataset repository is free of charge, as well as publicly available, there always are individuals (and corporations) out in the world who feel that publicly-available, openly-available, and freely-available data, although free, belongs to them for […]

Comments to the CISA Cybersecurity Advisory Committee on Process Sensor Cyber Insecurity

The DHS CISA Cybersecurity Advisory Committee held a conference call Thursday, March 31, 2022, that discussed current CISA Cybersecurity Advisory Committee activities and the Government’s ongoing cybersecurity initiatives. The meeting was for the Committee members to hear updates and discuss progress as it relates to the CISA Cybersecurity Advisory Committee’s six subcommittees: (1) Transforming the […]