Last week I was in Singapore at the CSA OTCEP event. You notice the differences between Singapore and the US as soon as you step into the airport and go through customs. There at least three major differences that apply to a government succeeding in managing a...
Last week’s article highlighted a recent paper, Fact and Fiction: Demystifying the Myth of the 85% by Azrilyant, Sidun and Dolashvili, and focused on the fact that 85% of the US population is served by public sector water companies, not the oft quoted 85%...
And What It Means For Government Action / Inaction For as long as I can remember, it has been an accepted and repeated “fact” that 85% of US critical infrastructure is privately owned. With the subtext of this “fact” that government...
CISA launched their Shields Up campaign in mid-February purportedly to meet the increased threat Russia posed due the war in Ukraine. From the initial release: While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the...
We have mantras in ICS security and OT that we say, and mostly believe, but we don’t act as if they are true. My favorite is OT is different than IT. Have you ever heard that before? Have you ever said it? When I hear someone say this what they usually mean is: keep...
The theme for S4x22 was No Limits. In my 10-minute opening of the event, I suggested one way to break free from limits is to take conventional wisdom and flip it. Look at the world as if the opposite were true. I gave three examples, and my favorite was: flipping...
It started with Bryan Owen’s reply to a tweet. Was hoping response for Incontroller/Pipedream would have been a rally call to inventory ICS with embedded Codesys. A community approach similar to Log4j inventory could have been lead by @cisagov — bryan owen...
I finished up Volume 3 of The Great Mental Models and the model, or concept, that has me thinking is Surface Area. Where we need to reduce it and where we need to expand it. The application to security is obvious and used in the chapter. We want to minimize the attack...
Hold on – – – hasn’t CISA since its birth and DHS before that recommended securing ICS? No, not really. The recommendations have been keep the attackers out, perform cyber hygiene, and detect attacks, but they have rarely recommended the monitoring...
We had the pleasure of hosting ~800 ICS security professionals in Miami South Beach last week at S4x22. While the record number of attendees was a good sign of the growing attention being paid to ICS security, it was the composition of the attendees that is even more...
