The Differences

The Differences

Last week I was in Singapore at the CSA OTCEP event. You notice the differences between Singapore and the US as soon as you step into the airport and go through customs.  There at least three major differences that apply to a government succeeding in managing a...
What To Do About Small Companies Running Critical Infrastructure

What To Do About Small Companies Running Critical Infrastructure

Last week’s article highlighted a recent paper, Fact and Fiction: Demystifying the Myth of the 85% by Azrilyant, Sidun and Dolashvili, and focused on the fact that 85% of the US population is served by public sector water companies, not the oft quoted 85%...

CISA Shields Up – Misleading & Wise

CISA launched their Shields Up campaign in mid-February purportedly to meet the increased threat Russia posed due the war in Ukraine. From the initial release: While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the...
Living With Dirty Cyber Assets

Living With Dirty Cyber Assets

The theme for S4x22 was No Limits. In my 10-minute opening of the event, I suggested one way to break free from limits is to take conventional wisdom and flip it. Look at the world as if the opposite were true. I gave three examples, and my favorite was: flipping...
The ICS Dichotomy of Surface Area

The ICS Dichotomy of Surface Area

I finished up Volume 3 of The Great Mental Models and the model, or concept, that has me thinking is Surface Area. Where we need to reduce it and where we need to expand it. The application to security is obvious and used in the chapter. We want to minimize the attack...
Will CISA Recommend Securing ICS?

Will CISA Recommend Securing ICS?

Hold on – – – hasn’t CISA since its birth and DHS before that recommended securing ICS? No, not really. The recommendations have been keep the attackers out, perform cyber hygiene, and detect attacks, but they have rarely recommended the monitoring...
Shields Up For ICS

Shields Up For ICS

The US CISA put out a Shields Up advisory in conjunction with Russia’s invasion of Ukraine. It’s probably necessary, as they would have been disparaged if they didn’t, and not terribly useful. The recommendations were primarily the same as they have been...
Let’s Talk: Level 0 and Risk Management

Let’s Talk: Level 0 and Risk Management

Three topics for this week’s article: Importance, Risk Management, and Level 0 Risk Reduction. Importance Joe Weiss, who I call the Paul Revere of ICS security for his yeoman’s work raising the alarm in the 2000 – 2010 decade, was not a fan of my...