It happened again in the comments … IEC 62443 covers this topic. Last week I wrote about vendors providing patch compatibility information as a first step down the SBOM path of automating the providing, importing and use of information. Vendors are testing patch...
Daniel Ehrenreich posited in a LinkedIn comment that the number of ICS-OT directed attacks in a year is in the two digits range (10 – 99). My definition, not Daniel’s, of an ICS-OT directed attack is an attack that is designed to compromise the...
Awareness and activity increased in 2022 on OT vulnerability management, and it will likely increase even more in 2023. OT detection products’ key selling proposition is asset inventory, vuln management and increasingly mapping this information to risk scores. Same...
Much of the OT and ICS security community’s efforts and focus in recent years have been placed on creating and maintaining an OT cyber asset inventory. Now we are hearing it is not enough to know basic information such as vendor, OS, application, version...
The hand wringing about cyber insurance rate increases, effectiveness and even future viability have come in a steady stream the last two year. I don’t claim to be an insurance expert, but I have come across some helpful numbers in a Moody’s Investor...
I had Jim Hempstead of Moody’s Investors Service on a recent episode of the Unsolicited Response Show. There are two items related to Moody’s reports this fall that are worth a deeper look. This week’s article is on the Moody’s Cyber Risk Cyber...
First, I’m excited to announce that Idaho National Laboratory (INL) will be running the SBOM Challenge at S4x23 next Feb 14-16 in Miami South Beach. Virginia Wright and Ethan Huffman will be leading the team there. We learned from our two OT Detection Challenges that...
I frequently pound CISA for not having metrics. What are they trying to do and how will we know if it’s working or not? So, #walkthetalk. We have goals and associated metrics to measure the success of S4. For example, one goal and metric related to our Create...
Since the early days of NERC CIP I have been unable to identify what I would do for OT Critical Infrastructure Cyber Security Regulations if I were omnipotent and could specify and enforce whatever I thought would work. After spending a week in Singapore this July...
As I wrote two weeks ago, in the medium to long term the winners in the OT SBOM market will be those who can effectively play the SBOM/VEXie middleman between vendors and asset owners. The ability to create SBOMs won’t be a determining factor. But competitors need to...
