A Modern Jabberwock

Twas SCADA and the slimey toovesDid consult and gyre in the RoomAll Flimsy were the ArTeeYewsAnd Field Rats all agloom Beware the Jabber-hack my daughterThe bits that byte, the worms that lurkBeware the heartbleed, and please slaughterThe awful frumious Trisys work She took her Laptop Kali FreeLong time she gazed at WiresharkSo Rested by the […]

Is there a problem with our understanding of the terms IT, OT and ICS when seeking to protect critical infrastructure?

I remember participating in a work group composed of national representatives tasked with coming up with norms for confidence and security building measures (CSBM) for states to follow in cyberspace.  This was quite exciting to be a part of at first, but the discussions slowed down when a representative of a cyber-superpower raised the issue of […]

Zero Trust and ICS

The goal of Zero Trust is getting data securely across network, storage, and computing infrastructure you may not trust. The message is usually between two software entities that are trusted with human beings behind them. But that’s not what happens in an Industrial Control System, such as a DCS or a PLC based plant system. […]

Focus on Integrity

There may be a few people who are puzzled by why I referred to PLC Security as “security.” And this brings me to an often forgotten part of the AIC security triad. Yes, there is Availability. There is Confidentiality. You tend to see a lot of discussion about the former among ICS security people. You […]

Followup: INCOSE Critical Infrastructure Protection and Recovery(CIPR) Conference Call

On Thursday, April 9th, 2020, I gave a presentation to INCOSE Critical Infrastructure Protection and Recovery(CIPR) working group monthly call. With the large attendance, it was evident there was an interesting learning about the critical, but generally not addressed, issues of the engineering aspects of control system cyber security. There was also a common thread […]

Diagramming ICS Security

In a blog post, Sarah Fluchs made a very important point: We have diagrams and abstractions for virtually everything in an industrial control system. But for some reason, we don’t do this for industrial control system network security. I think she has has pointed her finger on the pulse of the problem with industrial control […]