Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Tweet Me! @digitalbond
Friday Newsletter: https://mailchi.mp/f53b1c8c2da0/friday
-->
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
1. Six Sandworm attackers from Russia charged. Why was this done now and what does it accomplish?
2. More ICS vendors announced security services (ABB and Siemens). Will this be a good business? Is it good for asset owners?
3. ICS security vendors are creating risk metrics for cyber assets and zones (Claroty and ID announced). How should asset owners view these metrics?
Plus Jason has a Win and Prediction, and I give my Win, Fail and Prediction for October.
Jason Nations / Selena Larson S4x20 video - Understanding Our Adversaries
Thomas Rid's Active Measures book
ICS-Patch Decision Tree ... What To Patch When?
Finite State web page and Unsolicited Response episode
-->Listed in: Technology
This month's stories include:
This is a solosode, as my planned guest got sick (not Covid). And I also start the podcast with some information on S4x21's cancellation and S4x22.
German death due to ransomware article
Sanjay Chhillar ICS Security Myth Presentation
DoE program to create and evaluate Schneider Electric SBOM (CyTRICS)
DoE funding NRECA ICS Detection Tool
-->
Listed in: Technology
In this episode I talk with Otis Alexander of MITRE about ATT&CK for ICS Evaluations. We begin with a discussion on ATT&CK and the ICS version of ATT&CK. If you are familiar with this, skip to 17:09 where we begin our discussion on the upcoming evaluations.
MITRE has created a Triton type attack and will test companies abilities to detect the various elements of this created attack. Five companies have signed up to be tested, and hopefully more will step up to this challenge.
Otis and I get into the details on how the testing takes place, the scope of the testing, how the results will be reported out, the value of the results to asset owners, and more.
-->
Listed in: Technology
In this episode of the Unsolicited Response podcast I talk with Ed Albanese, the VP Internet of Things at Splunk about the OT Security Add-On.
This is a more detailed, technical episode as I try to dig into the features and benefits of the integration today and where it can be improved in the future. This includes:
Splunk OT Security Add-On Announcement
Splunk OT Security Add-On Software Download Page
-->Listed in: Technology
So I wanted to discuss this with someone with significant experience in both OT and IT security. Lesley Carhart of Dragos was a great choice. Before Dragos she worked for Motorola and was involved with incident response for both OT and mission critical IT.
I talk and opine a bit more than normal in this episode because I have strong feelings on this topic.
Send any comments or suggestions to s4@digitalbond.com, and subscribe if you haven't already.
Lesley Carhart on Twitter: @hacksforpancakes
Lesley Carhart personal website
Lesley's DerbyCon session: Confessions of an IT / OT Marriage Counselor
-->Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
The S4 Closing Panel is always a candid discussion on where the community is in securing ICS, where we are succeeding and where need to do better. This year I was joined by Rob Lee of Dragos and Zach Tudor of INL.
Also note that the S4x20 Call For Presentations closes on Thursday (August 15).
This episode was sponsored by aeSolutions. aeSolutions is an engineering and consulting company specializing in process safety and industrial cybersecurity. aeSolutions has pioneered the CyberPHA methodology which is a proven method to assess industrial control system (ICS) cybersecurity risk leveraging well established process safety techniques.
This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation. Check out the 2019 CyberX Global ICS and IIoT Risk Report, the CyberX report on the NIS Directive, and my podcast from last year on the report with Phil Neray.
-->Listed in: Technology
In this episode of the Unsolicited Response Podcast I interview Megan Samford and Rick Cherney of Rockwell Automation.
We cover two main topics. First, we discuss how they are dealing with vulnerabilities reported to them by researchers and other means. We focus on how this has progressed over the years as well as how vendors could provide more useful vulnerability and remediation information to their customers.
Second we discuss the Rockwell Automation getting past the Insecure By Design issue that has plagued the Level 1 / PLC devices. Most notably the signed firmware and ICS protocol security in CIP Security. We also delve into the challenges of getting CIP Security deployed in both green field and legacy systems.
I begin the podcast with a brief tribute to Mike Assante's unique skills and how they helped the ICS security effort. They pale in importance to the tributes of Mike as a father, friend and mentor, but nevertheless were impressive and hopefully some can pick up the load.
This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.
This episode was sponsored by aeSolutions. aeSolutions is an engineering and consulting company specializing in process safety and industrial cybersecurity. aeSolutions has pioneered the CyberPHA methodology which is a proven method to assess industrial control system (ICS) cybersecurity risk leveraging well established process safety techniques.
-->Listed in: Technology
Forescout's acquisition of SecurityMatters for $113M in cash was the first major exit from the OT Detection Space (or broader passive monitoring market as you will hear in the podcast). I spoke with Brian Proctor about a number of issues including:
WARNING: If you are one who gets offended by commercial content in a presentation or podcast, perhaps you should skip this episode. When the primary topic is a company's strategy to address the market it is impossible to expect the guest to not promote their offerings. The answers to me questions almost required a response that would be considered promotional. I will write up my analysis of the Forescout strategy in the upcoming weeks.
This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.
This episode was sponsored by aeSolutions. aeSolutions is an engineering and consulting company specializing in process safety and industrial cybersecurity. aeSolutions has pioneered the CyberPHA methodology which is a proven method to assess industrial control system (ICS) cybersecurity risk leveraging well established process safety techniques.
-->Listed in: Technology
In this episode, I interview Jonathan Homer, the Chief of the Industrial Control Systems Group / Hunt and Incident Response Team at DHS.
We discuss:
This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.
This episode was sponsored by aeSolutions. aeSolutions is an engineering and consulting company specializing in process safety and industrial cybersecurity. aeSolutions has pioneered the CyberPHA methodology which is a proven method to assess industrial control system (ICS) cybersecurity risk leveraging well established process safety techniques.
-->Listed in: Technology
Listed in: Technology
This recording is from a panel discussion on understanding and reducing the consequence side of the risk equation (risk = consequence * likelihood). Joining me in this discussion are:
The two gentleman begin by explaining their respective consequence based risk assessment and risk management, and the diagrams they refer to are below.
INL CCE Approach In One Slide
aeSolutions CyberPHA Approach In One Slide
After the initial descriptions we discuss:
This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.
Check out the 2019 CyberX Global ICS and IIoT Risk Report, the CyberX report on the NIS Directive, and my podcast from last year on the report with Phil Neray.
-->Listed in: Technology
In a recent article a researcher proclaimed it's "not hard for a hacker to capsize a ship at sea". This was quickly followed by the Viking Sky cruise ship having its engines shut off due to a sensor reading.
Not knowing much about maritime control systems I brought two experts from Moran Cyber on the podcast to discuss the issue: Captain Alex Soukhanov (a Master Mariner and Director at Moran Cyber) and Greg Villano (Senior Maritime Cybersecurity Engineeer at Moran Cyber). Both Alex and Greg have spent their careers on ships and now are working to secure the control systems that are becoming more essential every year.
Not knowing much about this sector, you hear the line of questioning that is used to begin to understand risk. It actually focuses more on impact and recovery than a list of specific security controls. It appears the maritime industry will face increasing challenges as they move away from ships that can continue to operate with manual operations.
-->Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology
Listed in: Technology