Book Review: This Is How They Tell Me The World Ends by Nicole Perlroth
Short Review This is a book that an ICS security professional should give to friends and family to read so they know why they do what they do. Nicole guides the lay person through her compelling journey to understand the 0day market and its impact on the security of...
How Do We Solve The OT Cybersecurity Staffing Challenges?
Three answers. 1. Women Women represent 51% of the population and 57% of the college graduates in the US. They comprise less than 10% of the OT Security workforce. Solving the problem could be as simple as adding women to the OT Security workforce until they...
Recommended Security Controls For Level 0 and Level 1
Part 1: Awareness of Purdue Level 0 and 1 (In)Security Part 2: Properly Prioritizing Level 0 and Level 1 Security In this third and final article in my Level 0 / Level 1 security series the focus is on the appropriate security controls. Sensors and Sensor Data The...
Properly Prioritizing Level 0 and Level 1 Security
We have resolved the issue on whether the ICS security community knows that almost all Purdue Reference Model Level 0 and Level 1 devices, and the protocols that communicate with them, lack authentication. They know this. The next question is what to do about it from...
Awareness Of Purdue Level 0 and 1 (In)Security
Solving a problem typically begins with awareness that there is a problem. Back at S4x12 a group of researchers under the Project Basecamp banner demonstrated that most PLC’s (Purdue Level 1 devices) were both insecure by design and ridden with exploitable bugs,...
Legacy System Problem Keeps Growing
If you find yourself in a hole, stop digging. Will Rogers The large amount of insecure legacy ICS and long ICS lifetimes mean we will need to live with this security risk for years / decades. We can argue about how long it should take to replace the deployed...
Maturing Past Maturity-Based To Risk-Based
I recently stumbled upon a McKinsey article from October 2019 that more elegantly, in McKinsey speak, made the argument against “cyber hygiene” than I do. Over the past three years I’ve seen many asset owners go through the same process: Board or...