This chapter from the book describes what it is, how to use it, and a bit of how I came to write it. I started reading a daily calendar book in 2019 and have continued every year since. My two favorites are The Daily Stoic and The Daily Drucker. Calendar books provide...

My first exposure to OT security was a security assessment of a water SCADA system in 2000. It was a disaster from a security perspective. Old OS and apps that hadn't been touched since install. Poor network segmentation, Admin accounts used by all with default...

Some of you have asked where my weekly article went in November and December. The answer is I had to focus my writing time on edits and production of my new book, A Year In OT Security. 1,500 softcover books are now being printed and will be put in the S4x25 Swag...

The Cyberspace Solarium Commission, McCrary Institute, and others provide long lists of initiatives they recommend for the next administration. They tend to be bureaucratic. Stand up this new organization, draft this document, study this issue, ... A lot of the...

I first heard the term "Cyber Narrative" while interviewing Jennifer Dulles, APR, a media relations and crisis communications expert, on the S4x24 Main Stage. It's worth your time to develop a cyber narrative, especially given the often poor public statements we hear...

The Tenth Amendment to the US Constitution states: The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people. The states are often referred to as "laboratories of...

Peter Sandman introduced the following risk equation in the 1980's: Risk = Hazard + Outrage An increasingly common scenario in the OT world the last two years, particularly with small scale water incidents, is Hazard is Low and Outrage is High. In these cases the task...

SEC and CIRCIA Different Aims, Different Progress, Different Results SEC The US Security and Exchange Commission (SEC) proposed draft rules to disclose cyber incidents with a material impact in March of 2022. The rule was finalized and went into effect in December...

Why Checklists Win Talk to most security professionals, OT and IT, and they'll tell you that applying a checklist approach to security controls across an industry sector makes no sense. Compliance to a standard or regulation does not equal security. Each company...

I was hooked on OT Security from day one. During my first SCADA security assessment in 2000 we went out to see damns, pumping stations, turnouts and other physical systems along a canal. This was much more interesting than sitting in a conference room or a data...