Book Interview: Introduction To SBOM And VEX
Unsolicited Response Podcast
info_outline
S4x24 Closing Panel
Unsolicited Response Podcast
info_outline
Q1: ICS Security In Review
Unsolicited Response Podcast
Emma Stewart joins Dale to discuss the 3 big OT & ICS security stories from the first quarter. They end by giving their win, fail and prediction for Q1.
info_outline
S4x24 Preview
Unsolicited Response Podcast
info_outline
Predictions Analyzed
Unsolicited Response Podcast
In this solosode episode Dale reviews the status of his three predictions from the Q1, 2 and 3 quarter in review episodes and answers a listener question.
info_outline
Q4 ICS Security Quarter In Review
Unsolicited Response Podcast
info_outline
CISA Attack Surface Scanning Service
Unsolicited Response Podcast
Dale is joined by Steve Pozza, CISA Section Chief of Operational Resilience, and Tom Millar, CISA Branch Chief of Resilience, to discuss some of CISA's security services for asset owners. They discuss: The Internet accessible attack surface enumeration and vulnerability scanning surface. Asset owners can buy products or services to do this. Why is the government doing this? What CISA is doing with this attack surface data? How is CISA measuring the success of this service offering? Other broadly available services and tools, the cybersecurity performance goals (CPG assessment) ~500 done in...
info_outline
Engineering-Grade OT Security with Andrew Ginter
Unsolicited Response Podcast
Andrew Ginter published his third book this year: . Dale interviews Andrew on the book including: Who was the target reader that Andrew wrote the book for? Do (should) professional engineers lose their licenses for poor and dangerous cybersecurity design and deployments? The use of the term engineering grade, and how he defines it. Unhackable protection and safety controls as a major part of engineering grade. Unidirectional (one-way) network devices as the only security control listed as engineering grade. Is one-way from the enterprise network to the OT network engineering grade? Given the...
info_outline
Asset Inventory, Lawyers, and AI
Unsolicited Response Podcast
This week is a Dale Peterson solosode. Updates and Announcements Dale provides updates about S4x24 ticket sales and announces the Women In ICS Security program and sponsor package. Main Topics Asset Inventory in Cybersecurity: Dale challenges the common security mantra "You can't protect what you don't know," using examples from both physical and cyber domains. He notes many of the comments on this week's article missed the main point, and he gives hints on the next two asset inventory articles. Legal and Regulatory Issues in Cybersecurity: Dale emphasizes the importance of domain expertise...
info_outline
Is The Purdue Model Dead (E)
Unsolicited Response Podcast
info_outlineIn this episode of the Unsolicited Response Podcast I interview Megan Samford and Rick Cherney of Rockwell Automation.
We cover two main topics. First, we discuss how they are dealing with vulnerabilities reported to them by researchers and other means. We focus on how this has progressed over the years as well as how vendors could provide more useful vulnerability and remediation information to their customers.
Second we discuss the Rockwell Automation getting past the Insecure By Design issue that has plagued the Level 1 / PLC devices. Most notably the signed firmware and ICS protocol security in CIP Security. We also delve into the challenges of getting CIP Security deployed in both green field and legacy systems.
I begin the podcast with a brief tribute to Mike Assante's unique skills and how they helped the ICS security effort. They pale in importance to the tributes of Mike as a father, friend and mentor, but nevertheless were impressive and hopefully some can pick up the load.
Links
- CIP Security Video from S4
- Rockwell Automation Security Home Page
- Rockwell Automation Industrial Security Advisory Index (Requires Account Registration)
- Factory Talk Policy Manager Getting Results Guide (CIP Security Configuration Software)
- S4x20 Call For Presentations
- Just three of the many Mike Assante tributes are an article on CSO from Aaron Turner, Rob Lee’s blog and a final message from Mike to the community.
Sponsors
This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.
This episode was sponsored by aeSolutions. aeSolutions is an engineering and consulting company specializing in process safety and industrial cybersecurity. aeSolutions has pioneered the CyberPHA methodology which is a proven method to assess industrial control system (ICS) cybersecurity risk leveraging well established process safety techniques.