Select Blog Posts
Cyber Retaliation: The Iranian Threat
On January 4 the U.S. Department of Homeland Security issued a National Terrorism Advisory Alert cautioning U.S. targets that Iran may carry out physical or cyber attacks in retaliation for the US strike that killed Iranian IRGC-Quds Force commander Qassem Soleimani in Iraq. The alert pointed out that Iran has a robust cyber program able to bring about ‐ at the very least ‐ temporary disruption of U.S. critical infrastructure and other targets, and possibly much worse.
What to do about this threat? The alert suggests measures such as sharing information and very elementary cyber hygiene: backups and multi-factor authentication. By recommending these measures, the alert implies they would effectively protect against a concerted Iranian cyber assault.
Secure Operations Technology
I am pleased to announce the general availability of my new book, Secure Operations Technology (SEC-OT). SEC-OT is a perspective, a methodology and a set of best practices that document what thoroughly-secured industrial sites actually do. What these sites do differs sharply from what most industrial sites do.
Most industrial sites practice IT Security (IT-SEC) whose focus is to “protect the information” — the CIA, the AIC, the IAC, or the something of the information. The focus at secure industrial sites though, is protecting the safe, reliable, continuous and correct operation of the physical, industrial process, not protecting information. Indeed, secure sites are focused on precisely the opposite — protecting correct and continuous physical operations from information, more specifically from cyber attacks that may be embedded in information.
Defining Industrial Security
The beginning of wisdom is the definition of terms.
- Socrates (470 - 399 B.C.)
Definitions are important - good ones shape our understanding of concepts while poor ones impair that understanding. Consider the definition:
pen: a tube of ink with a tiny ball bearing at the tip
How useful is that definition? If we give the definition to a non-English-speaker, would it seem like a word worth remembering? Consider a different definition:
pen: a tool for writing or drawing with ink
Someone new to the language would likely hear this second definition and say "ahh - so that's what those things are called," because she sees people using pens every day.
Now consider the definitions of "cybersecurity" and "information security".
The Meltdown / Spectre saga continues. Ulf Frisk just posted a description of a vulnerability he has coined "Total Meltdown". It seems that Microsoft developers introduced an even worse vulnerability while fixing the Meltdown vulnerability
in Windows 7 and Windows 2008 Server R2. With this broken Meltdown
"fix" installed, any program can read or write any word in any other
program's memory, or the kernel's memory for that matter, just by
reaching out and touching - no special tricks required. The cure is
worse than the disease.
Protecting Industrial Control Systems from Spectre and Meltdown
Nuclear Security Compromise - Not On Our Watch
Recent reports of cyber attacks on U.S. nuclear reactors have brought upon public doubt on the strength of cyber protections at nuclear power plants. The response from nuclear plants has resoundingly been "no need to panic, nothing to see here," but other pundits are saying "I'm not sure I believe that." Looking between these narratives, what should the public believe?
Insights From The NERC CIP Emerging Technologies Round Table
I recently attended the NERC CIP Emerging Technologies Round Table meeting on Cloud & IoT, where a primary focus was Bulk Electric System (BES) Cyber Systems in the cloud. BES Cyber Systems are systems with an adverse effect on the BES within 15 minutes of failure or compromise. Interestingly, the most thought-provoking discussion at the end of the day had to do with the Internet, not with the cloud.
Control Is Not Data
IT gurus tell us that control system security is essentially the same as IT security, and that both are about "protecting the data." The gurus tell us that, yes, there are two kinds of "data" in control systems - monitoring data and control data - but "data is data." They tell us that all we need to do is protect the CIA, or AIC, or IAC, or something, of the data and we're done - we're secure.
They are wrong.
SCADA Security Site Launched
www.scada-security.ca is live. The site is focused on approaches to modern SCADA Security education. One of the things I'm doing at Waterfall Security Solutions, is working with a couple of different universities to add SCADA security content to their undergraduate and graduate programs. As those efforts bear fruit, I will be posting pointers here to different sorts of course content.
SCADA Security Published
SCADA Security - What's broken and how to fix it is live on Amazon in soft-cover and Kindle formats. The book's launch was the Waterfall/TDi mingle at the ICSJWG last month, with copies available for all ICSJWG attendees complements of Waterfall Security Solutions.
Protecting Critical Infrastructure Published
Cyber-Physical Security - Protecting Critical Infrastructure at the State and Local Level
was published recently. I contributed chapter 4 "Cyber Perimeters for Critical Infrastructures." Essential to modern thinking about control system network perimeters is the concept of "trust," "criticality," or "impact" - different authors use different words for the concept.