At Digital Bond’s website, Mike Toecker makes a case for complex control systems in that complexity often brings efficiency and performance with it. While efficiency and performance are certainly noble goals, they’re not the only ones. If you’re in Critical Infrastructure, there is another goal that gets a higher priority than either of these two […]
Did a “Ninja Squirrel” Cause the Northeast Blackout in 2003?
As many people discovered from the postmortem of the Northeast Blackout of 2003, it was a widespread power outage that occurred throughout parts of the Northeastern and Midwestern United States and the Canadian province of Ontario on Thursday, August 14, 2003, just after 4:10 pm EDT. Some power was restored by 11 pm; however, many […]
More Problems with the Risk Equation
That rant I wrote earlier got me thinking even more… The first presumption that the risk equation gets wrong is that generic risk is linear and additive. It is not. Let’s assume that someone sabotages the brakes in your car. You still have the parking brake that uses a completely separate system. You may not […]
To Analog…or Not to Analog…THAT is the Question…
NOTE: At the end of this article is a URL link for a voluntary survey. Recently, there was news of a new Senate bill to develop a pilot program for the Energy Sector. Dubbed the “Securing Energy Infrastructure Act of 2016” (S. 3018), this bill is to provide for the establishment of a pilot program […]
Complexity – The Difference Between a Widget and a Thingy
I was discussing this with Bob and he pointed an interesting word use I had stumbled upon: Thingy. Bob pointed out that a thingy is what people call things they don’t understand. A widget is a thing that you do understand. Our SCADA systems used to be composed of widgets that we could work on. […]
Why ISA-99/IEC 62443 is in Trouble
Before I reveal this e-mail I sent to the ISA-99 list, one should understand the discussion leading up to my rant. The ISA-99 list had been trying to frame its discussion in terms of existing security standards. In my opinion, they’re making an enormous mistake. Industrial control system security should not be pigeonholed in to […]
When “IoT” Becomes “Expl-IoT”
Ok, so I am being sarcastic with the title — I get it. But let me ask you when you read this: are you entirely certain that the ‘Internet of Things’ — more importantly — (a new term recently introduced by several industry ‘leaders’) the ‘Industrial Internet of Things’…isn’t just another ‘sales job’? First, why […]
Additional Thoughts on SANS blog
I should have included a diagram on the SANS blog to illustrate the concepts a bit better. I’ll work on one shortly. The main point behind the blog is that it takes time recognize an ongoing hack. The example I cited is actually quite optimistic. Many operators might not make the connections that a well […]
Why the Infatuation With Risk?
At a recent meeting of ICS Security “experts,” the discussion turned to risk-assessment standards. I posed the question: Why are are we so infatuated with the Risk Equation when it offers so little guidance. “Why not use consequences and defenses?” I asked. “Isn’t that how most Engineers and Operators think?” “Risk is what they understand […]
Why the NY Dam Incident Really Did Not Matter
Ray Park from the SCADASEC mailing list made this comment on 5-Apr-2016: Dams, other than major hydroelectric dams, are not a good target for hack attack. With most flood control and water reservoir dams, the only real control is the floodgates. We considered how to use that and the only thing we could come up […]