The impact of OT cyber incidents, excluding ransomware on IT, has been less than 1% of all cause OT outages and OT related financial loss. A motivated and skilled OT cyber attacker could cause a high or catastrophic incident on many OT systems in almost every sector....

Where does the media get the information and quotes that turn a couple of residential swimming pools of water spilling out of a water tank (Muleshoe) into a major story and congressional hearing ... from us, the OT security community. Since we are part of the problem,...

Below is what I intended to say on stage. It always varies a little bit live. The video will be out next week. Each S4 Conference has a single word theme. This year's theme is Connect. Connections are exciting, unpredictable, scary, they bring opportunity, and for...

2025 saw two of the four top tier OT detection + asset inventory vendors get acquired. First Mitsubishi Electronics acquired Nozomi Networks at a valuation of $950M (read my analysis of the Nozomi acquisition). Then last month ServiceNow announced they will be...

I'm finishing my 25th year focused on OT security (called SCADA security when I started, then ICS security, and now OT security). So many failures, successes, changed analysis, and lessons learned over that time. Here are 3 lessons that I wish hadn't taken me so long...

We know very little about what security controls and consequence reduction actions reduce the number and impact of incidents that includes an OT cyber component. Read that again. We have hypotheses. I have hypotheses, and wrote a book on the topic A Year In OT...

We've had some great debates on the S4 stage. One of my favorites was a debate I had with Eric Byres entitled Is Eric Byres a SCADA Apologist or a SCADA Realist?. The key to a good debate is to find an issue where a 10% - 25% minority of the audience has a strong...

Forescout's Verdere Labs reported that a honeynet posing as a water treatment system was compromised by TwoNet, a Russian-aligned group. According to the blog entry TwoNet caused: Defacement: Login page changed to HACKED BY BARLATI, F*** Process Disruption: Deleted...

I get tired of writing that 90%+ of the OT protocols used to communicate with PLC's and other Level 1 devices (and Level 0 ... hello Joe) are insecure by design. They lack cryptographic authentication of the source or contents, intentionally. They were designed to...

This article attempts to frame the question after my back and forth with Robert M. Lee last Friday. Question: How many cyber attacks are resulting in non-trivial consequence events in OT / Operations? Stipulation 1: Ransomware and other causes of outages on IT cyber...