SEC: Incentives and Outcomes

SEC: Incentives and Outcomes

Show me the incentive; I’ll show you the outcome. Charlie Munger The SEC requirement for US public companies to disclose, in an 8K form, any cyber attacks that will have a material impact on the business went into effect in November, 2023. Unsurprisingly this has led...
Proposed Government Metric – Internet Exposed OT

Proposed Government Metric – Internet Exposed OT

This is third in a series of suggested metrics governments could use to measure OT security posture, incidents, and risk … something desperately needed and consistently avoided. Metric 1: Impacted People Days Metric 2: Leading Indicator Metrics Metric 3:...
Leading Indicator Metrics (Inspired by API RP 754)

Leading Indicator Metrics (Inspired by API RP 754)

Part 1 of this article is from my S4x24 Keynote: Believe!. Part 2 is the suggested related metrics for the US and other governments. Are some of you having trouble with Total Recordable Incident Rate? Or the SEC material incident rate? Or these outage pie charts. I...
RSA Conference: OT Vs. IT Vs. Convergence

RSA Conference: OT Vs. IT Vs. Convergence

One of the first articles or presentations those new to OT generate is how OT is different from IT. Like other uses of T, there are tasks, goals and constraints that are different in OT than the employee desktop, application, server and infrastructure environment that...
Proposed Government Metric – Impacted People Days

Proposed Government Metric – Impacted People Days

This is the first in a series of articles on proposed government metrics (US and other) to measure the consequence of critical infrastructure OT cyber incidents. Impacted People Days – – The number of people impacted by an OT cyber incident multiplied by...
US National Cybersecurity Strategy Implementation Plan V2.0

US National Cybersecurity Strategy Implementation Plan V2.0

This is the first iteration of the Implementation Plan, which is a living document that will be updated annually. US National Cybersecurity Strategy Implementation Plan, July 2023 We should be seeing the annual update, Version 2.0, of the Implementation Plan this...
A Barbell Strategy For OT Security

A Barbell Strategy For OT Security

The barbell strategy is most common in finance and became more widely known after its use in Taleb’s Antifragile. Barbell Strategy: A dual strategy, a combination of two extremes, one safe and one speculative, deemed more robust than a “monomodal” strategy;...
Clorox Investor Cyber Incident Concerns

Clorox Investor Cyber Incident Concerns

Lost Manufacturing Capacity & Recovering Shelf Space Clorox had suffered a cyber incident on their enterprise network, not OT, in August of 2023. They lost 26% of their manufacturing capacity during that quarter as they had to move to manual order processing....
Water Hysteria and Reality

Water Hysteria and Reality

Reality There has not been a publicly disclosed cyber incident on a US water utility’s OT system that has affected the delivery of safe, drinkable water for years. There has not been a publicly disclosed cyber incident that can even be called a near miss. Not...