Before I reveal this e-mail I sent to the ISA-99 list, one should understand the discussion leading up to my rant. The ISA-99 list had been trying to frame its discussion in terms of existing security standards. In my opinion, they’re making an enormous mistake. Industrial control system security should not be pigeonholed in to […]
When “IoT” Becomes “Expl-IoT”
Ok, so I am being sarcastic with the title — I get it. But let me ask you when you read this: are you entirely certain that the ‘Internet of Things’ — more importantly — (a new term recently introduced by several industry ‘leaders’) the ‘Industrial Internet of Things’…isn’t just another ‘sales job’? First, why […]
Additional Thoughts on SANS blog
I should have included a diagram on the SANS blog to illustrate the concepts a bit better. I’ll work on one shortly. The main point behind the blog is that it takes time recognize an ongoing hack. The example I cited is actually quite optimistic. Many operators might not make the connections that a well […]
Why the Infatuation With Risk?
At a recent meeting of ICS Security “experts,” the discussion turned to risk-assessment standards. I posed the question: Why are are we so infatuated with the Risk Equation when it offers so little guidance. “Why not use consequences and defenses?” I asked. “Isn’t that how most Engineers and Operators think?” “Risk is what they understand […]
Why the NY Dam Incident Really Did Not Matter
Ray Park from the SCADASEC mailing list made this comment on 5-Apr-2016: Dams, other than major hydroelectric dams, are not a good target for hack attack. With most flood control and water reservoir dams, the only real control is the floodgates. We considered how to use that and the only thing we could come up […]
How the “Internet of Things” is Becoming the “Internet of Junk”
Several years ago, a new and revolutionary device was introduced to consumers – one that would allow homeowners with abilities to control the temperature and comfort of their home anywhere in the World. The product that I am talking about is “Nest”. Designed to communicate with external servers using the Internet, these devices provided pathways […]
2016 Spring Flooding and Potential Impacts
The U.S. Department of Homeland Security, National Protection and Programs Directorate, Office of Cyber and Infrastructure Analysis (OCIA) provided an overview of the National Oceanic and Atmospheric Administration (NOAA) 2016 Spring Flooding Outlook and examines the potential impacts to U.S. critical infrastructure. This product is an update to the April 21, 2015, OCIA Spring Flooding […]
Iranian Hacker Used Google To Hack N.Y. Dam Computer
I have a bit of background I learned from primary sources with direct knowledge of the situation. First, this dam was not a life safety issue. It was for storm water management. The sluice gate was supposedly out of service at the time. However, even it had been in service, it could have gone up […]