If you’ve been wondering about OT network segmentation, read this.
Category: General Topic
Florida city water cyber incident allegedly caused by employee error
The Oldsmar, Florida, water treatment plant was the target of a cyberattack in 2021, which raised concerns about the cyber vulnerability of crucial infrastructure. Reports at the time claimed that a worker at the company witnessed his computer being accessed and managed remotely. The amount of sodium hydroxide, also known as lye, in the water […]
State of ICS Cybersecurity and Critical Infrastructure: Half empty, Half full, or Stay Focused on the Quest?
A colleague recently expressed some dismay over the lack of progress in ICS cybersecurity in the past 20 years. He has a point, but I had to respond. Below is a copy of my response and hope it will be taken as something “for the good of the Order”. “Yeah I hear ya, but the […]
Impressions of the U.S. National Cybersecurity Strategy of 2023
Was busy at a resilience workshop in Germany last week when the buzz started to peak about the release of the latest version of the U.S. National Cybersecurity Strategy[1]. As someone who headed task forces to prepare the first Military Defence Strategy (2000) and first National Defense System Cybersecurity Strategy (2009) of Lithuania and served […]
The National Cybersecurity Strategy fails to address fundamental control system and critical infrastructure issues
In May 1998, Presidential Decision Directive (PDD) 63 mandated the cyber security of critical infrastructures be implemented by May 2003. Twenty years and multiple PDDs and Presidential Executive Orders later, the government agencies responsible for securing the critical infrastructures are still failing to adequately address the issues that can cripple our country and its critical […]
FUD is not helpful but running into a Cyberg is far worse.
In the beginning of March on Linkedin there was some discussion of FUD and some advice for vendors and consultants. I quote: „FUD is not helpful. 1) Avoid words & phrases like “Sophisticated Attack” or “Nation-State” if you are a vendor / consultant trying to build a business case with asset owners. 2) Please double […]
Regulatory gaps drive systemic under-reporting and poor situational awareness
Control system cyber impacts are visible – lights go out, pipes leak or break, trains crash, planes crash, etc. However, it is often not evident that cyber played a role. Many times, sophisticated cyber attackers will make a cyberattack look like an equipment malfunction. There have been cyberattacks by Russia and China on US grids […]
The need for correct, authenticated pressure measurements for reliability, safety, and cyber security
Correct pressure and other process sensor measurements are necessary for reliability, product quality, maintenance, process safety, and cyber security. These devices can be incorrect for unintentional or malicious reasons. January 13, 2023, Abhishek Sharma published the ISA blog – “The wisdom of correct pressure measurements”. It is a good blog but doesn’t address all of […]
Another case where process sensor monitoring could have prevented a facility shutdown
Canadian Copper Mountain Mining (CMMC) shut down their mill after a December 27th ransomware attack “as a preventative measure to determine the status of its control system, while other processes switched to manual operations”. Off-line process sensor monitoring of the physics system would not be susceptible as neither IT malware nor ransomware could reach the […]
Process sensors are different than IOT and IIOT devices
December 2022, the US Government Accountability Office (GAO) issued Critical Infrastructure Actions Needed to Better Secure Internet-Connected Devices (GAO-23-105327). According to GAO, the scope of the report was governed by a legislative mandate in The Internet of Things Cybersecurity Improvement Act of 2020, which (along with conversations with GAO’s Congressional clients), which dictated the terms […]