I’m ranting again. This is a recurring plague for me. Allow me to just get this out of my system right now: DELIVER ME FROM THOSE AWFUL OFFICE-GRADE UPS BOXES! I hate the damned things. Why? Because some idiot who can’t be bothered to deal with the more difficult issues just grabs one off the […]
Lessons from the film “Rogue 1” on the importance of security in the design process
Commander #1: We’ve analyzed their attack, sir, and there is a danger. Should I have your ship standing by? Gov. Tarkin: Evacuate? In our moment of triumph? I think you overestimate their chances. – Quote from the film Star Wars IV (1) The Star Wars film epic in addition to providing good entertainment raises some […]
Patching and Upgrading PLC Systems
A certain well known vendor of PLC equipment has been earning some heat from me recently. I’m not mentioning names because frankly, all of these big name vendors are facing the same problems. The issue is that even if we didn’t find sufficient reason to patch programs in a PLC, we’re finding that we have […]
The lack of comprehensive investigation and sharing of lessons from industrial control system incidents will continue to leave others as sitting ducks.
This past week news has surfaced about cyber-attacks directed against German industry. In particular about a suspected case of cyber espionage at ThyssenKrupp (1) (2). The announcement that a German steel maker was cyber attacked reminded me about the 2014 German Federal Government IT Department’s (BSI) report of a cyber-attack at an unidentified steel mill […]
Physical Layer Concerns
One of the more troublesome aspects of a control system is detecting when the I/O is broken versus a security problem of some sort. This is one of the keys between knowing that you’re being hacked versus having some sort of hardware failure. With that in mind, these are some measures I have found to […]
Raising cybersecurity awareness during a seminar on the future of energy policy and economy is not an easy thing to do.
“Although you cross the Atlantic for years and have ice reported and never see it, at other times it’s not reported and you do see it.” – Charles Lightoller, Titanic Second Officer (speaking at the public inquiry into the sinking) In one of my recent lectures on “The cybersecurity dimension of critical energy infrastructure” I […]
Thoughts on possible misconceptions over the cybersecurity of the energy sector
“The pump don’t work, cause the vandals took the handles” – Bob Dylan The use of high technology (information technology and telecommunications) has entered almost every aspect of our lives. You name a sector and it is there: finance, trade, energy, communications, transportation, even education and healthcare. High tech is what modern society is built […]
Proposing innovative solutions to a problem which will require even more solutions is not a good way to go
– After the ship has sunk, everyone knows how she might have been saved. – Italian proverb In an earlier blog I wrote about the importance of answering the key questions in developing a strategy to secure a critical asset (1). I could see the consequences of not taking the time to fully comprehend these […]
Simulations don’t have to be expensive or labor intensive in order to explain key concepts about IT and ICS security
It can be hard to understand amidst all the IT biased (towards Confidentiality, Integrity and Availability of information) cybersecurity hoopla how today’s IT threats emanating from cyberspace can affect industrial control systems. IT security questions can be hard to understand for the ICS practitioner (who leans towards different security priorities of Safety, Availability, Integrity and […]
In seeking to protect industrial control systems are we clear about what is being threatened and from what threats?
Reading the recently published Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) White Paper on Malware Trends left me somewhat unimpressed and disappointed. Whenever I read a document about cybersecurity, especially one written by an institution dealing with the security of industrial control systems, I am keen to see how the authors […]