In August, I wrote about the likely hyperbole in an article, Cybersecurity Risks Loom Large In Hospitals. The financial risk stated in the article that “loomed large” was tiny compared to other financial risks at a large hospital. The numbers in that...
Last week at the Singapore CSA OTCEP event a panel I was on received the question: what do we think about the use of zero trust in OT? I’m not sure why we all hesitated to answer. Being polite? Unsure of how to answer? Tired from jet lag or crazy time zones? I...
Last week the US Government published the Preliminary Critical Infrastructure System Cybersecurity Performance Goals and Objectives that included nine categories of recommended practices. Last week the US Government also published a draft of SP1800-10 Protecting...
(and maybe fewer OT Security Pro’s than originally thought) Kelly Shortridge gave a great keynote on DevOps coming to the OT world at S4x20. I originally asked Kelly to give a talk on DevSecOps. She pushed back on the use of that term because security...
After a recent virtual keynote I was asked a perennial hopeful question: How we can make cybersecurity a source of revenue rather than a cost? The short answer for an OT asset owner is, you can’t. The motivation is understandable. Businesses and their executives...
I still do a bit of ICS security consulting for asset owners in between S4, speaking at events, and the Unsolicited Response show. This consulting typically requires a $1M Professional Liability Insurance policy. It’s renewal time, and below are two new...
My interview last week with Nozomi Networks CEO Edgard Capdevielle dug deep into the OT visibility and detection market today and more importantly where it was heading in the next 1-3 years. Lots of candor and interesting comments from Edgard, and Edgard’s thoughts of...
You Must Understand Your Organization’s Risk Management Do you want support and funding for your ICS security initiatives? Then you need to understand what executives view as high, unacceptable consequences that believably could be caused by a cyber or...
The number of jobs in the ICS Security category is growing quickly. Asset owners, ICS and ICS security vendors, integrators, consulting firms, and governments are all trying to hire ICS security talent from a limited talent pool. The most common solution to grow ICS...
Easy Win – Procurement A simple request to inspect Security Development Lifecycle (SDL) artifacts, such as the threat model and fuzz testing plan and results, will tell you if the SDL is more than a dream put down on paper. (In the early 2010’s it was more...
