OT Convergence and the Guidelines for OT’s Strategic Actions to combat the IT Invasion!


, , ,

Fiefdom_Meat_SuppliesSeveral years ago I predicted that ICS system management would eventually fall under the CIO.  This prognostication was met with ridicule and denial.  Well today is a different story and I have to say.

HA! I WAS RIGHT! Man that feels good!

So being a OT/IT Convergence Integrator and working with several clients on this tradition I learned from the best.

So for those dinosaurs trying to fight the Convergence efforts here is your guidebook…

BTW – I stole this from www.softpanorama.org


Guidelines for OT Strategic Actions to combat the IT Invasion!

Tactic 1. Strategic Noncompliance.

Agreeing upfront to take action while having no intention of taking that action, or cooperating in order to buy time to find a way of avoiding taking action. When you cannot easily refuse, then the simple response is to say yes then to delay and diminish your delivery. Make excuses, do the wrong thing or become unavailable. You can even band together with others to say ‘no’ in a collaborative voice (this is what Trade Unions can do). Continue reading

Physical Safety and Cyber Security in ICS / Real Time Systems


, , ,

Many times I have wondered what really makes Cyber Threats for Industrial Control Systems or Real Time Systems that different from traditional IT systems.  There are a thousands of documents that try and detail the differences and I am sure that most get the gist of the statement but few have tried to apply the thoughts in a real time environment.  I think I will take a term that Dr. Jonathan Butts succinctly stated,  Continue reading

Building Automation Systems – Overlooked Unsecured Control Systems


Lighting, Heating, Ventilating and Air Conditioning provide comfort and safe working conditions. From Military Bases and Hospitals to Banking, SCADA systems enable real-time monitoring and trending of system performance, efficiency and output reportedly to allow the operations to predict problems before they occur. Many systems often email or message engineers on a mobile phone providing notification control issues and system maintenance. Reporting systems monitor and evaluate trends in energy usage, as well as report and log maintenance records to any format desired. The remote viewing of real-time surveillance video, logging of personnel entry/exit, door status, window sensors and dedicated security system monitoring are often included within the building’s automation system. Continue reading

Insurers learn about the cyber attack risk to critical infrastructure


, , , , , ,

In response to research that found cyber threats were shifting from data to operational technology, a division of Lloyd’s of London has announced a new type of insurance coverage to address increased cybersecurity risks to the electric utility industry.

“In-depth research by Lloyd’s of London insurer AEGIS London shows technology running the world’s critical infrastructure is increasingly at risk of cyber attack,” according to an April 9 press release announcing the CyberResilience insurance product.

The research, conducted by BAE Systems Applied Intelligence, focused on cyber attacks against power and utility companies in the United States, Europe and Canada. The research drew on incident reports from the U.S. Department of Homeland Security and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

The findings also show that utility companies “are better prepared to deal with cyber threats to their operational technology than many recent media reports have indicated.” But the BAE Systems report laments a lack of technological solutions to address these cyber threats.

“The biggest challenges energy companies and utilities face are constraints outside their control such as the lack of ‘adequate and mature technology solutions,'” the AEGIS London press release states.

The new insurance product, and its focus on critical infrastructure operators, fits with the Obama administration’s push for more rigorous cybersecurity measures at industrial facilities. The White House’s recently released framework of cybersecurity standards is focused on protecting critical infrastructure, including power plants, and the Federal Energy Regulatory Commission has directed the utility industry to toughen its cyber protection requirements for the grid

Effective presentations… beware of surfing the buzzwords.

This year I decided to attend Dale Peterson’s S4 Conference, I had high hopes on getting up to date on the latest technology and information in the SCADA security world. After my first two sessions I felt like I was suffering from depersonalization disorder, floating above the room watching the inept presenters attempt to discuss systems and technologies that they too do not fully understand. Not that I am an expert by any means however I would like to feel like I’m getting information from those who do. Having presented at several conferences I too have fallen into the feeling that I needed to include some of the latest buzzwords and attempt to entice interest. I have since discovered that it is always better to stick with what you really know well. We have all had to have dinner with your wife’s friends’ house, whose husband spent 4 solid hours talking about his floor tile business. At dinner that can induce thoughts of suicide by stabbing yourself in the heart with a butter knife, in the right crowd he is a guru. My suggestion, if your presenting, dive deep your expertise and avoid buzzword surfing….

Digital Bond S4 2014

What makes a hacker, a hacker?


, , , , ,


If Bruce Schneier is correct in his assessment of hackers: “In this same vein, computer networks have been plagued for years by hackers breaking into them. But these people aren’t breaking into systems for profit; they don’t commit fraud or theft. They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and just to see if they can… Hackers’ traditional and common defense is that they’re breaking into systems to test their security. They say the only way to learn about computer and network security is to attack systems. Never mind that these hackers don’t own the systems they’re breaking into; that’s just the excuse.” He points out that there is an ongoing controversial discussion about whether hackers are genuinely committing criminal acts while intruding into a network: “”I was only testing security” is not a valid defense. For years, we in the computer security field have heard that excuse. Because the hacker didn’t intend harm, because he just broke into the system and merely looked around, it wasn’t a real crime. Here’s a thought for you: imagine you return home and find the following note attached to your refrigerator: “I was testing the security of back doors in the neighborhood and found yours unlocked. I just looked around. I didn’t take anything. You should fix your lock.” Would you feel violated? Of course you would.” Continue reading

Establishing Command for a Cyber Incident – Part One


, , , , , ,

If one was to take a poll on how many industrial operators have a Cyber Incident Response Plan (CIRP) there would be an alarming number of organizations that fail to even realize the need.  When I ask my customers about Industrial Control Systems Cyber Incident Response Planning the opinions are clearly polarized.  Most of my clients usually mumble through a loose interpretation on what sometimes sounds like their Emergency Response Plan that was created for the purpose of safety.  The other answer that I get is that it’s something that they need to look at in the undetermined future.  This scares me, cause what it says to me is “We’re gonna wait till we have an incident and then we will react to that by creating a plan for next time!”.   Creating an effective cyber incident response plan may seem like a daunting task and like most insurance it’s often forgotten till it’s too late.

This may be my tallest soap box but I am truly concerned that possibly 90% of critical infrastructure outside of power generation is not ready to respond to a cyber incident.  In an effort to provide direction to the answer rather than join the normal group of armchair quarterbacks I have researched some of more successful incident responses and think one should begin with focus on the Command structure.

Continue reading

Information Management and the productivity paradox


, , , , , , ,

The ability to effectively manage and protect information has become critically important because it is becoming a basis for gaining a competitive advantage. Over the past decade companies are struggling to understand the need and how place a value on the protection of information in a competitive landscape. Many forward thinkers see information management as a source of value creation instead of what is traditionally considered a cost, information is an invisible asset that, when managed properly, can be used to leverage other firm resources therefore increasing productivity. The ability to effectively manage information helps to ensure that firms are more attuned to changes in the market and could result in a competitive advantage over slower, ill-informed competitors.

Continue reading