Properly Prioritizing Level 0 and Level 1 Security

Properly Prioritizing Level 0 and Level 1 Security

We have resolved the issue on whether the ICS security community knows that almost all Purdue Reference Model Level 0 and Level 1 devices, and the protocols that communicate with them, lack authentication. They know this. The next question is what to do about it from...
Awareness Of Purdue Level 0 and 1 (In)Security

Awareness Of Purdue Level 0 and 1 (In)Security

Solving a problem typically begins with awareness that there is a problem. Back at S4x12 a group of researchers under the Project Basecamp banner demonstrated that most PLC’s (Purdue Level 1 devices) were both insecure by design and ridden with exploitable bugs,...
Legacy System Problem Keeps Growing

Legacy System Problem Keeps Growing

If you find yourself in a hole, stop digging. Will Rogers The large amount of insecure legacy ICS and long ICS lifetimes mean we will need to live with this security risk for years / decades. We can argue about how long it should take to replace the deployed...
Maturing Past Maturity-Based To Risk-Based

Maturing Past Maturity-Based To Risk-Based

I recently stumbled upon a McKinsey article from October 2019 that more elegantly, in McKinsey speak, made the argument against “cyber hygiene” than I do. Over the past three years I’ve seen many asset owners go through the same process: Board or...
ICS Security Company Valuation and Value Investing

ICS Security Company Valuation and Value Investing

Frank, non-flattering admission … I am terrible at determining how much an ICS security company is worth, it’s valuation. While I believe that I can analyze the market, identify the product and service trends, evaluate company strategies, and identify the...

Women In ICS Security

Kelly Jackson Higgins of Dark Reading joins Dale Peterson to co-host this episode of the Unsolicited Response Show. The topic is Women In ICS Security, and all the guests are Women In ICS Security: – Kristin Demoranville – MJ Emanuel – Najo Ifield...
My Recollection of the F**g Salmon Dinner

My Recollection of the F**g Salmon Dinner

Chapter 2 of Nicole Perlroth’s book This Is How They Tell Me The World Ends is all about S4x13 and particularly about a dinner I hosted that she called The F**king Salmon dinner. We were all in Miami to attend the same bizarre conference – an annual...
Consequence and INL’s CCE

Consequence and INL’s CCE

The long awaited detail of INL’s Consequence-driven, Cyber-informed Engineering (CCE) methodology is now available in the Andy Bochman / Sarah Freemen book Countering Cyber Sabotage. I had the opportunity to interview the authors for an hour in this week’s...
An Operator Turing Test

An Operator Turing Test

Proposal: A small group in the ICS world develop a test to determine if a “machine” can be trained from only historian data to perform as good (indistinguishable) or better than a representative Operator. In 1950 Alan Turing wrote an article on what...
Are Your ICS Security Patching Plans Realistic?

Are Your ICS Security Patching Plans Realistic?

An interesting and potentially important technical paper was published near the year end holidays and didn’t get the attention it deserved: Vulnerability Forecasting: In Theory and Practice by √Čireann Leverett, Matilda Rhode and Adam Wedgbury of...