And Still Awaiting Calls To Replace Unauthenticated Protocols Today Dragos released information on ICS malware they are calling FrostyGoop. The key lines from the release are: "It is the first ICS-specific malware that uses Modbus communications to achieve an impact...

The only OT security product market to date is OT Detection solutions (with a slice of asset inventory). It is led by Armis, Claroty, Dragos and Nozomi. There are another 5 credible vendors and 5 or more niche players. There has been a relatively large amount of...

Hospitals and other medical facilities get lumped into OT and cyber/physical because they have software and firmware that is monitoring and controling physical equipment and processes. It’s not wrong, but I don’t think it’s helpful. The high level, high quality OT...

Last week R.R. Donnelley (RRD) and the SEC reached a $2.125M settlement on issues related to a December 2021 cybersecurity incident. Coming after Solarwinds and being a resolved issue has led to less cybersecurity industry angst about the SEC’s RRD complaint than the...

Last week I wrote that creating an asset inventory typically isn’t in the early actions of an OT security program prioritized by efficient risk reduction. And I received a number of questions of what is on the short list. I’m not going to provide a list because it can...

I’m not anti-asset inventory. It’s a key part of asset management and maintenance without regard to reducing OT cyber risk. In fact I’d be more amenable to Operations prioritizing establishing and maintaining an asset inventory than OT Security. At the right point in...

Show me the incentive; I’ll show you the outcome. Charlie Munger The SEC requirement for US public companies to disclose, in an 8K form, any cyber attacks that will have a material impact on the business went into effect in November, 2023. Unsurprisingly this has led...