OT Security 2021: Progress
Progress in addressing OT / ICS cyber risk remains painfully slow as it has over the past two decades. There is progress, and the fact that we are seeing the increased attention and are achieving progress during these Covid years is worth highlighting at year’s...
OT Security 2021: Perspective
The primary goal of OT cyber risk management is to insure OT cyber incidents do not have an unacceptable impact to the business, customers and community. A secondary goal is to reduce, and ideally eliminate, the frequency of overall OT cyber incidents. It is clear...
VC’s, OT Security and Criticality
The rush of money into the OT security market continues to accelerate. Later and larger rounds have poured into the OT Visibility and Detection market leading to some companies being valued at over $1 billion. Early round money is coming into the OT SBOM / software...
Failing Business (Home) Continuity Plans
I admit it. I’m a bit of a prepper. This is likely the case for anyone in the risk management profession, and even more so if you live on an island like I do (Maui). We can run out of food and supplies. Our critical infrastructure has little redundancy. If one...
OT Visibility & Detection Market – Q4 2021 Update
The OT Visibility and Detection Market has consolidated to a big 3 of pure plays, a handful of enterprise vendors who have acquired their way into OT, and the niche players whose best hope is to get acquired before the music stops. With the war chests full, this...
ICS Security Maturity Model (Levels 4 – 6)
See Part 1 with Levels 1 – 3. I must admit I switched the order of Basic Detection and eliminate High Consequence Events multiple times in writing this article. As always I welcome your comments including your own maturity levels. Maturity Level 4: Basic...
ICS Security Maturity Model (What To Do In What Order)
A reader (Paul) wrote in with the following question: Do you have any recommendations on how to iteratively and pragmatically raise the bar (i.e. security/maturity). The models I’ve seen push asset inventory/visibility and cyber hygiene to the front, which makes...
Hidden Value In Creating Cybersecurity Audit Programs
One of my first tasks after leaving NSA for private industry in the early 90s was to write my new company’s information security policy. I’m not sure my previous job as a cryptanalyst left me qualified for this, but I was viewed as the security guy. So, I attacked the...