Canadian Copper Mountain Mining (CMMC) shut down their mill after a December 27th ransomware attack “as a preventative measure to determine the status of its control system, while other processes switched to manual operations”. Off-line process sensor monitoring of the physics system would not be susceptible as neither IT malware nor ransomware could reach the […]
Process sensors are different than IOT and IIOT devices
December 2022, the US Government Accountability Office (GAO) issued Critical Infrastructure Actions Needed to Better Secure Internet-Connected Devices (GAO-23-105327). According to GAO, the scope of the report was governed by a legislative mandate in The Internet of Things Cybersecurity Improvement Act of 2020, which (along with conversations with GAO’s Congressional clients), which dictated the terms […]
School of Industrial Cybersecurity: time to review the curriculum
It is hard sometimes for me to watch the discussions on critical infrastructure protection taking place these days. Especially when it comes to cybersecurity practices and policies. The conferences, announcements of new national cybersecurity strategies, pronouncements of industry opinion leaders on the media, government publications on best practices, guides, books and last of all vendor […]
More than 17 million dangerous control system cyber incidents are hidden in plain sight
Control system cyber incidents are plentiful (more than 17 million), dangerous, and mostly unidentified as being cyber-related Control system cyber incidents are more common and dangerous than most security specialists and industry leaders tend to believe. That requires some explanation. I have been amassing a database of control system cyber incidents since 2000 when I […]
IEEE paper on process sensor monitoring – what you need to know about process sensor cyber security
The article, “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors” is now available in the November issue of IEEE Computer: The paper provides a case study providing detailed quantitative results of the unseen deficiencies in many process sensors. October 25th, Dale Peterson issued a blog “the Weissian Level […]
Applying IP network guidance has harmed control system field devices and legacy control systems
I continue to be very concerned that both private sector and public sector policy-making organizations (square peg) simply don’t have the control system cyber security technical depth to be making decisions about cybersecurity of control systems (round hole). There have been many documented cases where applying IP network mitigations has caused very significant problems to […]
12th Cyber Security Summit keynote presentation
On October 26th at 8:30 am, I will be giving one of the keynote presentations at the 12th Cyber Security Summit in Minneapolis – https://www.cybersecuritysummit.org/. The title of my presentation is “Narrowing the Gap – A Unilateral Understanding of Engineering and Network Security” or “The risks of cutting corners to put a square peg in a […]
Many OT cyber security experts don’t understand the systems they are trying to secure – the square peg in the round hole
There is an old saying about not forcing a square peg into a round hole. The square peg is IT and OT network security. The round hole is the insecure ICS field device. On September 8, 2022, RSA held the RSAC 365 Virtual Seminar & Innovation Showcase: OT & ICS Security. The session was focused on […]
Finding statistics about APT’s? It’s complicated.
Have been following an email list thread that was generated from a request for statistical information about APT’s (advanced persistent threats). Many of the offers of information were very ransomware and cybercrime oriented. To me such descriptions are not a good fit to address what APT’s are. Thought I would share my contribution to that […]
Critical infrastructures cannot be secure when critical equipment isn’t
August 25, 2022, I received a call from an insurance specialty insurer who had received an Operational Technology (OT) Supplemental Application from a global control system supplier to the aerospace industry, industrial operations, and the US Department of Defense. I am personally aware of at least some of the company’s products because of their use […]