Unsolicited Response Podcast
Waterfall Security Solutions and ICSSTRIVE put out an annual threat report that Dale Peterson believes is the best in OT. Why? It only includes incidents that had physical consequences on systems monitored and controlled by OT. Dale and Andrew discuss: What is in and out of scope for the report. The breakdown of the 68 incidents that occurred in 2023 by industry sector, cause, threat actor and more. The impact reporting requirements may have on these numbers in the future. What percentage of OT cyber incidents with physical consequences are made public. Ransomware on IT causing...
info_outline State Of NERC CIP, European Update and OT Security CommunityUnsolicited Response Podcast
Patrick Miller has OT cybersecurity experience as an asset owner, PacificCorp. As a regulator and one of the first NERC CIP auditors with WECC. As a community organizer creating and leading EnergySec and the BeerISAC. And as an entrepreneur creating and leading a number of consulting practices. He is currently the Founder of Ampyx Cyber. In this episode Patrick and Dale discuss: Why Patrick changed the company name and selected Talinn as the location for the new European office. The major differences in approaches to OT cybersecurity and risk management between Europe and the US....
info_outline Book Interview: Introduction To SBOM And VEXUnsolicited Response Podcast
info_outline S4x24 Closing PanelUnsolicited Response Podcast
info_outline Q1: ICS Security In ReviewUnsolicited Response Podcast
Emma Stewart joins Dale to discuss the 3 big OT & ICS security stories from the first quarter. They end by giving their win, fail and prediction for Q1.
info_outline S4x24 PreviewUnsolicited Response Podcast
info_outline Predictions AnalyzedUnsolicited Response Podcast
In this solosode episode Dale reviews the status of his three predictions from the Q1, 2 and 3 quarter in review episodes and answers a listener question.
info_outline Q4 ICS Security Quarter In ReviewUnsolicited Response Podcast
info_outline CISA Attack Surface Scanning ServiceUnsolicited Response Podcast
Dale is joined by Steve Pozza, CISA Section Chief of Operational Resilience, and Tom Millar, CISA Branch Chief of Resilience, to discuss some of CISA's security services for asset owners. They discuss: The Internet accessible attack surface enumeration and vulnerability scanning surface. Asset owners can buy products or services to do this. Why is the government doing this? What CISA is doing with this attack surface data? How is CISA measuring the success of this service offering? Other broadly available services and tools, the cybersecurity performance goals (CPG assessment) ~500 done in...
info_outline Engineering-Grade OT Security with Andrew GinterUnsolicited Response Podcast
Andrew Ginter published his third book this year: . Dale interviews Andrew on the book including: Who was the target reader that Andrew wrote the book for? Do (should) professional engineers lose their licenses for poor and dangerous cybersecurity design and deployments? The use of the term engineering grade, and how he defines it. Unhackable protection and safety controls as a major part of engineering grade. Unidirectional (one-way) network devices as the only security control listed as engineering grade. Is one-way from the enterprise network to the OT network engineering grade? Given the...
info_outlineHow much does a security control reduce cyber risk? What control or mix of controls provides the most efficient cyber risk reduction? Tough questions that a team of researchers at INL and Sandia tried to answer in a project.
Two of the researchers, Jay Johnson of Sandia and Jake Gentle of INL, join Dale on the show to talk about the metrics and results. The project was Cyber Resilience for Wind Installations, but the metrics and results are applicable to every sector. We get into the weeds on this episode and discuss:
- how they created the test environment
- the two attack scenarios (and why only two and how easy it would be to expand)
- the physical resilience score
- the cyber resilience score
- the results from four different mixes of security controls
- areas for further testing and improvement
- and a tiny bit about trying to calculate an Expected Benefit from Cybersecurity Investment, which is a bit like ROI and how much money to spend.
Links
• Video: https://www.youtube.com/watch?
• IEEE Access Journal Paper: https://ieeexplore.ieee.org/
• POWER magazine article: https://www.powermag.com/
• 2-page flyer: https://www.researchgate.net/
• Final project report: https://www.researchgate.net/