Usually In My Top Ten … Set & Meet RTO
Last week I wrote that creating an asset inventory typically isn’t in the early actions of an OT security program prioritized by efficient risk reduction. And I received a number of questions of what is on the short list. I’m not going to provide a list because it can...
Efficient Risk Reduction: Asset Inventory Often Not In My Top Ten
I’m not anti-asset inventory. It’s a key part of asset management and maintenance without regard to reducing OT cyber risk. In fact I’d be more amenable to Operations prioritizing establishing and maintaining an asset inventory than OT Security. At the right point in...
SEC: Incentives and Outcomes
Show me the incentive; I’ll show you the outcome. Charlie Munger The SEC requirement for US public companies to disclose, in an 8K form, any cyber attacks that will have a material impact on the business went into effect in November, 2023. Unsurprisingly this has led...
Proposed Government Metric – Internet Exposed OT
This is third in a series of suggested metrics governments could use to measure OT security posture, incidents, and risk … something desperately needed and consistently avoided. Metric 1: Impacted People Days Metric 2: Leading Indicator Metrics Metric 3:...
Leading Indicator Metrics (Inspired by API RP 754)
Part 1 of this article is from my S4x24 Keynote: Believe!. Part 2 is the suggested related metrics for the US and other governments. Are some of you having trouble with Total Recordable Incident Rate? Or the SEC material incident rate? Or these outage pie charts. I...
US Government Cybersecurity Performance: Activity – Success, Achievement – Who Knows?
Last week continued the deluge of documents and activity from the US Government on the nation’s cybersecurity. The two most important for OT security were the 2024 Report On The Cybersecurity Posture Of The United States and the National Cybersecurity Strategy...
RSA Conference: OT Vs. IT Vs. Convergence
One of the first articles or presentations those new to OT generate is how OT is different from IT. Like other uses of T, there are tasks, goals and constraints that are different in OT than the employee desktop, application, server and infrastructure environment that...