Here is an anonymized question I received after the Mitsubishi Electronics acquisition of Nozomi Networks. I have a project ongoing right now to select an asset inventory/detection product. This news hit right before our proof of concept phase, and obviously I...
Check out Part 1 here. We Won: An OT Security Community There is a thriving OT security community in 2025. This is a huge win. We started S4 in 2007 because there was no place where one of our researchers could present the first publicly disclosed OT vulnerabilities...
It’s been 24 years since the 9/11 attacks, and the beginning of serious OT security concerns. It’s been 15 years since Stuxnet was discovered. The results are an odd dichotomy. We Won – The Impact Of OT Cyber Incidents Has Been Minimal Experts have...
I had a number of public comments and private “yes, and” conversations after last week’s US Government (USG) Reset article similar to: just as government needs to show results, so does industry. Outside of entrenched, IT specific security providers,...
CISA and other US government departments have accomplished little in OT cyber security and risk management over the past two decades. There has been an increase in funding and activity, not results. While the loss of talent and capability this year in the USG is...
What Will Fall Next? A common refrain for any new proposed technology: It Won’t Work In OT. A short and incomplete list or examples: 90’s: Windows and Ethernet (yes, there was a battle with many experts insisting Windows workstations and servers connected by Ethernet...
We’ve received a few proposed sessions on quantum cryptography in OT in our S4x26 Call For Presentations. This isn’t new. We’ve received these every year this decade. They don’t get selected. Why? S4’s motto is Create The Future. While...
The US House Homeland Security Committee’s subcommittee on Cybersecurity and Infrastructure Protection is holding a hearing today entitled Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats To Critical Infrastructure. Two of the four...
We can’t answer that question yet, and it’s the time to figure out how we will measure their effectiveness. The EU and its member states are working furiously to figure out how to regulate, implement, and audit the Cyber Resilience Act (CRA) and Network...
Let’s start with the data, then the analysis. Source: Notes on the data: A material cyber incident should be reported in an 8K as an Item 1.05. The SEC also encourages reporting of cyber attacks that are immaterial or pending material determination in an 8K as...
