Metrics: How Effective Is A Security Control?

Unsolicited Response

Player FM - Internet Radio Done Right

הוסף לפני six שנים

תוכן מסופק על ידי Dale Peterson, Dale Peterson: ICS Security Catalyst, and S4 Conference Chair. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Dale Peterson, Dale Peterson: ICS Security Catalyst, and S4 Conference Chair או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

The Big Pitch with Jimmy Carr

1
Phil Wang Pitches Psychological Thriller Starring WHO?! 25:00

לפני יומיים25:00

הפעל מאוחר יותר

רשימות

לייק

אהבתי

25:00

It’s the very first episode of The Big Pitch with Jimmy Carr and our first guest is Phil Wang! And Phil’s subgenre is…This Place is Evil. We’re talking psychological torture, we’re talking gory death scenes, we’re talking Lorraine Kelly?! The Big Pitch with Jimmy Carr is a brand new comedy podcast where each week a different celebrity guest pitches an idea for a film based on one of the SUPER niche sub-genres on Netflix. From ‘Steamy Crime Movies from the 1970s’ to ‘Australian Dysfunctional Family Comedies Starring A Strong Female Lead’, our celebrity guests will pitch their wacky plot, their dream cast, the marketing stunts, and everything in between. By the end of every episode, Jimmy Carr, Comedian by night / “Netflix Executive” by day, will decide whether the pitch is greenlit or condemned to development hell! Listen on all podcast platforms and watch on the Netflix Is A Joke YouTube Channel . The Big Pitch is a co-production by Netflix and BBC Studios Audio. Jimmy Carr is an award-winning stand-up comedian and writer, touring his brand-new show JIMMY CARR: LAUGHS FUNNY throughout the USA from May to November this year, as well as across the UK and Europe, before hitting Australia and New Zealand in early 2026. All info and tickets for the tour are available at JIMMYCARR.COM Production Coordinator: Becky Carewe-Jeffries Production Manager: Mabel Finnegan-Wright Editor: Stuart Reid Producer: Pete Strauss Executive Producer: Richard Morris Executive Producers for Netflix: Kathryn Huyghue, Erica Brady, and David Markowitz Set Design: Helen Coyston Studios: Tower Bridge Studios Make Up: Samantha Coughlan Cameras: Daniel Spencer Sound: Charlie Emery Branding: Tim Lane Photography: James Hole…

לפני שנתיים 49:56

MP3•בית הפרקים

Two of the researchers, Jay Johnson of Sandia and Jake Gentle of INL, join Dale on the show to talk about the metrics and results. The project was Cyber Resilience for Wind Installations, but the metrics and results are applicable to every sector. We get into the weeds on this episode and discuss:

how they created the test environment
the two attack scenarios (and why only two and how easy it would be to expand)
the physical resilience score
the cyber resilience score
the results from four different mixes of security controls
areas for further testing and improvement
and a tiny bit about trying to calculate an Expected Benefit from Cybersecurity Investment, which is a bit like ROI and how much money to spend.

Links

• Video: https://www.youtube.com/watch?v=bBLbLUFKzIc

• IEEE Access Journal Paper: https://ieeexplore.ieee.org/document/10043706

• POWER magazine article: https://www.powermag.com/cyber-resilience-for-wind-power-installations/

• 2-page flyer: https://www.researchgate.net/publication/367074443_Cyber_Resilience_for_Wind_Installations_A_Cyber_Resilient_Reference_Architecture

• Final project report: https://www.researchgate.net/publication/368599508_Hardening_Wind_Energy_Systems_from_Cyber_Threats-Final_Project_Report

52 פרקים

#Tech #Dalepeterson #Digitalbond #Icssecurity #Scadahacking #Scadasecurity #Dale Peterson #Dale Peterson: ICS Security Catalyst #S4 Conference Chair #News #Tech News #IIoT

Metrics: How Effective Is A Security Control?

Unsolicited Response

published לפני שנתיים

שתפו

MP3•בית הפרקים

how they created the test environment
the two attack scenarios (and why only two and how easy it would be to expand)
the physical resilience score
the cyber resilience score
the results from four different mixes of security controls
areas for further testing and improvement
and a tiny bit about trying to calculate an Expected Benefit from Cybersecurity Investment, which is a bit like ROI and how much money to spend.

Links

• Video: https://www.youtube.com/watch?v=bBLbLUFKzIc

• IEEE Access Journal Paper: https://ieeexplore.ieee.org/document/10043706

• POWER magazine article: https://www.powermag.com/cyber-resilience-for-wind-power-installations/

• 2-page flyer: https://www.researchgate.net/publication/367074443_Cyber_Resilience_for_Wind_Installations_A_Cyber_Resilient_Reference_Architecture

• Final project report: https://www.researchgate.net/publication/368599508_Hardening_Wind_Energy_Systems_from_Cyber_Threats-Final_Project_Report

52 פרקים

#Tech #Dalepeterson #Digitalbond #Icssecurity #Scadahacking #Scadasecurity #Dale Peterson #Dale Peterson: ICS Security Catalyst #S4 Conference Chair #News #Tech News #IIoT

כל הפרקים

1
Unsolicited Response with Maggie Morganti 49:09

לפני 11 weeks49:09

49:09

Dale Peterson discusses with Maggie how she got into OT security, her recent move to the Financial Sector, women in ICS security, and more.

1
S4x25 Feedback & Review 23:14

לפני 12 weeks23:14

23:14

If you're not interested in S4, skip this episode. Dale goes over the feedback from the survey and S4 Event's own thoughts on the event, Tampa, and more.

1
Joel Langill On His New OT Security Training Class And More 50:34

לפני 28 weeks50:34

50:34

Dale Peterson speaks with Joel Langill, the SCADAHacker, about his new training course entitled Conducting Threat, Vulnerability, and Risk Assessments For ICS. A two day version of this course will be offered prior to S4x25 . Of course Dale and Joel jump around a bit on training, the workforce and other items. Take a listen.…

1
S4x24 Main Stage Interview With Stewart Baker 30:52

לפני 46 weeks30:52

30:52

Stewart Baker is one of the preeminent lawyers on topics of cyber law with an impressive career in and out of government. Stewart also hosts the Cyberlaw podcast. The Biden administration is contending that vendors should be held liable for security deficiencies in their products. Assuming this is turned into law and/or executive orders, what does it mean? What can we learn from other liability law to inform us what would be required for a vendor to be held liable for a security issue? How would the judgment / damages be determined. Dale's note: We talk about the SEC charges against SolarWinds in this interview.…

1
S4x24 Main Stage Interview With Rob Lee 33:31

לפני 48 weeks33:31

33:31

Dale Peterson interviews Rob Lee on the S4 Main Stage. They cover a lot of ground and Rob is never shy about sharing his opinions and analysis. They discuss: Rob’s first S4 PIPEDREAM deployed v. employed distinction … and why 2 years later is it still the most dangerous ICS malware? Are we really more homogenous? What makes a group something that Rob/Dragos tracks as an ICS focused attacker? If the answer to intel is do the basics, do I need intel? What ICS specific data was VOLTZITE exfiltrating? What countries are targeting critical infrastructure? Is it realistic to expect any country to not target its adversaries CI? Threat actors focused on manufacturing How should an asset owner measure the effectiveness of their detection solution?…

1
Chris Hughes, Author of Effective Vulnerability Management 43:55

לפני 1 year43:55

43:55

Chris Hughes and Nikki Robinson recently wrote the book Effective Vulnerability Management. Dale and Chris discuss the topic and book including: The definition and scope of vulnerabilities. It’s much more than coding errors that need patches. Are ICS protocols lacking authentication “vulnerabilities” The reality that most organizations have 100’s of thousands of unpatched vulnerabilities. Some statistics and will this change. Ways to prioritize what vulnerabilities you address. The SSVC decision tree approach that was introduced at S4 as Never, Next, Now Tooling … vulnerability management, software configuration, ticketing, remediation. And much more. Links: Effective Vulnerability Management, https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207/ Dale’s ICS-Patch Decision Tree, https://dale-peterson.com/wp-content/uploads/2020/10/ICS-Patch-0_1.pdf…

1
2024 Threat Report – OT Cyber Attacks with Physical Consequences 53:22

לפני 1 year53:22

53:22

Waterfall Security Solutions and ICSSTRIVE put out an annual threat report that Dale Peterson believes is the best in OT. Why? It only includes incidents that had physical consequences on systems monitored and controlled by OT. Dale and Andrew discuss: What is in and out of scope for the report. The breakdown of the 68 incidents that occurred in 2023 by industry sector, cause, threat actor and more. The impact reporting requirements may have on these numbers in the future. What percentage of OT cyber incidents with physical consequences are made public. Ransomware on IT causing physical consequences, exfil v. encryption, and what asset owners should do given this represents 80% of the known incidents in the report. And more. Links: 2024 Threat Report: https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/2024-threat-report-ot-cyberattacks-with-physical-consequences/ ICSSTRIVE: https://icsstrive.com S4 Events YouTube Channel: https://youtube.com/s4events…

1
State Of NERC CIP, European Update and OT Security Community 46:46

לפני 1 year46:46

46:46

Patrick Miller has OT cybersecurity experience as an asset owner, PacificCorp. As a regulator and one of the first NERC CIP auditors with WECC. As a community organizer creating and leading EnergySec and the BeerISAC. And as an entrepreneur creating and leading a number of consulting practices. He is currently the Founder of Ampyx Cyber. In this episode Patrick and Dale discuss: Why Patrick changed the company name and selected Talinn as the location for the new European office. The major differences in approaches to OT cybersecurity and risk management between Europe and the US. (more than just regulatory differences) What has the EU learned or improved on regulation from NERC CIP. What is the current state of NERC CIP regulatory risk? Are the regulated entities understanding and meeting the standards’ requirements? The challenge of slow NERC CIP modifications, eg virtualization and cloud. Bad standard & good regulator v. good standard & bad regulator. Should water follow the NERC CIP model as recommended by AWWA? How Patrick is dealing with AI. Links Ampyx Cyber: https://ampyxcyber.com Patrick’s Critical Assets Podcast: https://amperesec.com/podcast Subscribe to Dale’s ICS Security Friday News & Notes: https://friday.dale-peterson.com/signup Advertise on Unsolicited Response: https://dale-peterson.com/advertising/…

1
Book Interview: Introduction To SBOM And VEX 59:20

לפני 1 year59:20

59:20

1
S4x24 Closing Panel 36:25

לפני 1 year36:25

36:25

1
Q1: ICS Security In Review 49:51

לפני 1 year49:51

49:51

Emma Stewart joins Dale to discuss the 3 big OT & ICS security stories from the first quarter. They end by giving their win, fail and prediction for Q1.

1
S4x24 Preview 47:35

לפני 1 year47:35

47:35

1
Predictions Analyzed 11:20

לפני 1 year11:20

11:20

In this solosode episode Dale reviews the status of his three predictions from the Q1, 2 and 3 quarter in review episodes and answers a listener question.

1
Q4 ICS Security Quarter In Review 56:34

לפני 1 year56:34

56:34

1
CISA Attack Surface Scanning Service 30:01

לפני 1 year30:01

30:01

Dale is joined by Steve Pozza, CISA Section Chief of Operational Resilience, and Tom Millar, CISA Branch Chief of Resilience, to discuss some of CISA's security services for asset owners. They discuss: The Internet accessible attack surface enumeration and vulnerability scanning surface. Asset owners can buy products or services to do this. Why is the government doing this? What CISA is doing with this attack surface data? How is CISA measuring the success of this service offering? Other broadly available services and tools, the cybersecurity performance goals (CPG assessment) ~500 done in 2023 (and their thinking about self-assessments), Malcom traffic analysis tool, and a couple of other tools. Links CISA Vulnerability Scanning Services Malcolm Tool…

Unsolicited Response

1
Engineering-Grade OT Security with Andrew Ginter 53:46

לפני 2 years53:46

53:46

Andrew Ginter published his third book this year: Engineering-Grade OT Security . Dale interviews Andrew on the book including: Who was the target reader that Andrew wrote the book for? Do (should) professional engineers lose their licenses for poor and dangerous cybersecurity design and deployments? The use of the term engineering grade, and how he defines it. Unhackable protection and safety controls as a major part of engineering grade. Unidirectional (one-way) network devices as the only security control listed as engineering grade. Is one-way from the enterprise network to the OT network engineering grade? Given the ICSSTRIVE/Waterfall report that 75% of all cyber incidents affecting operations are due to ransomware on IT, should asset owners prioritize address this issue or engineering grade security first? What is keeping Andrew working rather than retiring Links Complete this form to get a free copy of the book…

Unsolicited Response

1
Asset Inventory, Lawyers, and AI 27:37

לפני 2 years27:37

27:37

This week is a Dale Peterson solosode. Updates and Announcements Dale provides updates about S4x24 ticket sales and announces the Women In ICS Security program and sponsor package. Main Topics Asset Inventory in Cybersecurity: Dale challenges the common security mantra "You can't protect what you don't know," using examples from both physical and cyber domains. He notes many of the comments on this week's article missed the main point, and he gives hints on the next two asset inventory articles. Legal and Regulatory Issues in Cybersecurity: Dale emphasizes the importance of domain expertise whether it be cybersecurity or the legal profession. He previews upcoming keynote interviews with legal experts and advises cybersecurity professionals against making legal analyses without proper expertise. Artificial Intelligence in Cybersecurity: Dale reveals that most AI submissions for S4 were broad and hand wavy. This isn't wrong, but most have heard this info by now. He then discusses the need for focusing on specific, real-world applications of AI and stresses the importance of measurable improvements in this age of experimentation.…

Unsolicited Response

1
Is The Purdue Model Dead (E) 32:26

לפני 2 years32:26

32:26

Unsolicited Response

1
Kelly Shortridge - Security Chaos Engineering in ICS 47:15

לפני 2 years47:15

47:15

Kelly joins Dale to discuss her new book Security Chaos Engineering: Sustaining Resilience in Software and Systems . Kelly points out the second part of the title is the most descriptive, and she is not a big fan of the Chaos term that has taken hold. They discuss: A quick description of Security Chaos Engineering Is there similarity or overlap with the CCE or CIE approach? The value of decision trees Her view of checklists of security controls like CISA's CPG Lesson 1 - "Start in Nonproduction environments" The experiment / scientific method approach and how it can start small The Danger Zone: tight coupling and complex interactions How should ICS use Chaos Engineering…

Unsolicited Response

1
IACS System Testing and Assessment Rating (STAR) Methodology with Don Weber 39:28

לפני 2 years39:28

39:28

Don Weber joins Dale Peterson to describe his IACS STAR Methodology to score the risk of a vulnerability to an ICS (or IACS in 62443-speak). It is a modification of the OWASP Risk Rating Methodology. Don has modified some of the 16-factors to create IACS STAR. The methodology and code is available on GitHub and a calculator is available on line. Don and Dale discuss: What Don likes about the OWASP Risk Rating Potential issues with putting numbers to SME judgment Differences between IACS STAR and the OWASP Risk Rating The weighting of the 16 factors The future of IACS STAR Links Slides Discussed In The Show: https://dale-peterson.com/wp-content/uploads/2023/10/IACS-STAR.pdf IACS STAR GitHub Repo: https://github.com/cutaway-security/IACS_STAR_Methodology IACS STAR Calculator: https://iacs-star-calculator.com/iacs_star_calculator.html Cutaway Security Website: https://www.cutawaysecurity.com ICS-Patch Decision Tree: https://dale-peterson.com/wp-content/uploads/2020/10/ICS-Patch-0_1.pdf…

Unsolicited Response

1
Dave Whitehead On SBOMs, Manufacturing in the US, and more 40:38

לפני 2 years40:38

40:38

Dave Whitehead, CEO of SEL, joins Dale on the show to talk about: The new SEL printed circuit board (PCB) factory in Idaho. Why they bucked the trend and did this. The benefits, the ROI, and more. SEL's position on providing SBOMs to customers and their internal use of SBOMs - Where leaders tend to go wrong. Substation shootings Market acceptance of SEL's Blueframe virtual platform Links Dave Whitehead's previous appearance on the Unsolicited Response Show Want to advertise on the Unsolicited Response Show in 2024?…

Unsolicited Response

1
Cyber Risk Quantification (CRQ) with Nicole Sundin 40:30

לפני 2 years40:30

40:30

Dale and Nicole Sundin of Axio discuss CRQ, how to deal with the precision challenge, Axio's prioritization of impact, ransomware on IT affecting operations as an example, and more. They also discuss UX and the single pane of glass. Links Axio web site

Unsolicited Response

1
Presidential Candidate Will Hurd 27:12

לפני 2 years27:12

27:12

Former Congressman and Presidential candidate Will Hurd is a rarity with a tech background in someone who was elected to the US Congress, and even rarer in someone running for President. Will graduated Texas A&M with Computer Science degree. Worked as a Senior Adviser to the cybersecurity company FusionX, which was acquired by Accenture. More recently he was on the board of OpenAI. This is probably one of the most technical interviews with a Presidential candidate you will hear. Dale asks Will: How he would rate CISA's performance (he co-sponsored the bill to create CISA)? Does the Executive Branch have the authority required to secure critical infrastructure? His views on Cyber Command / DoD policy of "defend forward"? The current level of Congress's technical literacy? What type of cybersecurity legislation, if any, Congress should pass?…

Unsolicited Response

1
ICS Security - Q3 In Review 1:03:43

לפני 2 years1:03:43

1:03:43

Patrick Miller of Ampere Industrial Security joins Dale to discuss the three big stories of the quarter and give their win, fail and prediction. Stories US National Cybersecurity Strategy Implementation Plan + CISA 2024-2026 Strategic Plan The cybersecurity / OT cybersecurity vendor market news. We just had Cisco buy Splunk, plus the Dragos "extension", and SCADAfence selling to Honeywell. Seems like some tough times. Ransomware again … Port of Nagoya, Clorox, hospitals, CISA Ransomware Vulnerability Notification Service Links S4x24 Ticket Sales Ampere Industrial Security Critical Assets Podcast…

Unsolicited Response

1
Dale Peterson On The Sunspace Alliance Webinar 1:01:15

לפני 2 years1:01:15

1:01:15

Dale Peterson was recently interviewed by Jay Johnson of Sandia and Tom Tansy of the Sunspec Alliance as part of their distributed energy resources (DER) Sunspec webinar series. We covered a lot of issues and Dale was not shy in throwing out some analysis and opinions. After 5 minutes discussing the S4x24 ticket process, the topics discussed: How DER will deal with the complex, large number of users and stakeholders PKI environment. The Sunspec device security specification and the benefits of a limited, key set of security controls. What is the role of government regulation to solve DER security issues? The potential power of the utility companies to levy requirements and be a choke point for access. The Patch Act, FDA and DER. shift left and product liability due to security flaws and more…

Unsolicited Response

1
Cyber-Physical Attacks with Marina Krotofil 57:36

לפני 2 years57:36

57:36

Marina Krotofil recently published the paper Industrial Control Systems: Engineering Foundations and Cyber-Physical Attack Lifecycle which is a detailed paper on cyber attacks that cause a physical impact on the system being monitored and controlled. It took Marina 1.5 years to write this paper, which is more accurately described as a short book. We discuss: the work she is doing to help Ukrainian critical infrastructure security during wartime what got Marina interested in cyber-physical security 10+ years ago the current understanding of cyber-physical in the OT security community Chapter 2: Engineering Foundations as a great intro for those in IT to understand basic automation principles Chapter 3: Very detailed explanation of a specific process (we don't spend much time on this) The Cyber-Physical Attack Lifecycle with emphasis on the Damage Loop. "Plant shutdown is risky for the attacker as it may instigate an investigation" Chapter 4.6 is a great conclusion…

Unsolicited Response

1
SBOMs & CycloneDX with Steve Springett 1:01:30

לפני 2 years1:01:30

1:01:30

Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs. In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX If you know the basics, skip to 14:24 where we get into the details Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and more Links CycloneDX document: Authoritative Guide To SBOM ICS-Patch (what to patch when in ICS / risk based decision tree) S4x24 CFP…

Unsolicited Response

1
The OT Cybersecurity / Climate Nexus with Andy Bochman 53:51

לפני 2 years53:51

53:51

At S4x23 Andy Bochman gave a Main Stage performance on the OT Cybersecurity / Climate Nexus. It's a new idea and Dale wanted to dig into it and understand it better. The discussion looks at where there is a nexus/connection/overlap and where there may be parallel efforts where each side might learn from the other. Links Andy Bochman S4x23 Video Slide used in this episode Earlier episode with Dale and Andy discussing CCE S4x24 Call For Presentations…

Unsolicited Response

1
Water Sector Cyber Risk with Gus Serino 50:34

לפני 2 years50:34

50:34

Gus Serino worked at a large water utility before joining Dragos in 2019. We're talking water sector so it's obligatory to start with Oldsmar (2:20), but we don't talk cyber. Instead we go through the physical portion of the water system assuming the attacker is able to issue the command to the pump to dump a lot of sodium hydroxide into the water system and what would likely happen. Importantly Gus identifies the simple, unhackable solution to this threat. A hard wired PH sensor that will shut off the pump regardless of the commands from the ICS. After Oldsmar Dale and Gus discuss: how small and medium water systems should approach cyber risk the greater challenge to large water systems the EPA's early steps on cybersecurity and future regulation - surprises in moving from a water utility to Dragos what Gus's new I&C Secure company is doing…

Unsolicited Response

1
One-Way, SAIDI & S4x24 CFP 24:33

לפני 2 years24:33

24:33

This is a solo-sode where Dale reviews two articles from July with comments on comments and additional thoughts. The final section is a must listen if you are going to submit to speak on the S4x24 Stage. The times below are so you can skip to what you are interested in. 1:29 One-Way Data Diodes and School Zones 10:15 SAIDI: What Cyber Incidents Should Be Excluded From Metrics 16:05 Do's and Don'ts For Your S4x24 CFP Submission Links Subscribe to Dale's Friday ICS Security News & Notes Info and Links for the S4x24 CFP…

Unsolicited Response

1
Interview with HD Moore 35:23

לפני 2 years35:23

35:23

HD Moore is most famous for his creation of the Metasploit penetration testing framework. It began in 2003 and hit the OT world in 2011. HD is now the Founder and CTO of RunZero, another cybersecurity startup that is starting to play in the OT Space. In this episode we spend the first third of the show talking about Metasploit ... early reaction, OT modules, is Metasploit still necessary and useful today. We then shift to creating asset inventories in IT and OT, which is what RunZero does. Why HD decided to run back into the cybersecurity startup world? How it started as a solo shop with HD writing all the code. How HD things Shodan and RunZero are different. What technique does RunZero use to 'scan'. A term that many fear in OT. Check out their approach to 'fragile devices'. The OT reaction to this type of scanning. What role uses the RunZero product? Links RunZero website S4x24 Call For Presentations…

Unsolicited Response

1
US Dept of Energy's OT Defender Fellowship Program 37:06

לפני 2 years37:06

37:06

Dale is often critical of the US Government's efforts and programs to address OT cyber risk. So it's a pleasure to highlight a program that is working. Samantha Ravich, Chair of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, joins Dale to discuss the US Department of Energy's OT Defender Fellowship Program. They begin by describing the program, its goals, what are ideal candidates for the program, and the early results from the first few cohorts. Then Timothy Pospisil of Nebraska Public Power District and part of the 2022 OT Defender Fellowship cohort joins the show to discuss his experience in the program. At the end we discuss how this could be expanded to address water, critical manufacturing and other sectors. Link OT Defender Fellowship Program…

Unsolicited Response

1
Eric Cosman On Dow, Open Automation, 62443 & More 55:26

לפני 2 years55:26

55:26

Eric Cosman had a 38 year career at Dow Chemical, was on the ISA 99 committee its inception, and then he retired. After retirement Eric joined ARC Advisory Group as a Contributing Consultant and got even more active with ISA. He is a long time co-chair of ISA99 and was President of ISA in 2020. Eric and Dale discuss: Dow's in house developed DCS and SIS: MOD Eric's top trend from 2022: The value of open automation and the Open Process Automation Forum ISA/IEC 62433 Eric's view they are "primarily engineering standards" What Eric thinks about the safety / security analogies His experience in being ISA President in the first year of COVID ISA as "the home of automation" Has ISA lost mindshare on ICS security standards to the US Government and training to SANS…

Unsolicited Response

1
ICS Security Quarter In Review Q2-2023 1:00:24

לפני 2 years1:00:24

1:00:24

Mark Hyman of Verge Management Group joins Dale to discuss the big 3 stories of Q2 along with their win, fail and predication. Big Stories The OT Security Layoffs (Mark is a recruiter specialized in ICS/OT security) Still No US National Cyber Director? The Merck NotPetya Insurance Claim Ruling Plus they both have a win, fail and prediction at the end.…

Unsolicited Response

1
Josh Corman - Healthcare Security, SBOMs & More 1:04:49

לפני 2 years1:04:49

1:04:49

Josh Corman is the VP of Cyber Safety Strategy at Claroty, was the Chief Strategist of the CISA COVID Task Force, and founder of I Am The Cavalry. Josh and I dive into Healthcare Security, SBOMs and other topics. Can OT in healthcare be treated in a similar way as the factory, power plant, water treatment plant, ... ? The first fatality due to a cyber attack on a hospital. Should we be focusing our efforts on reducing the impact if ransomware hits a healthcare facility? What is the equivalent to a steel reinforced cockpit door? The PATCH Act (included in the Omnibus bill passed in Dec 2022) requiring medical device manufactures to provide a SBOM and a patching program. What is it? What will be the impact of this? (BTW, Josh changed my mind on this as a start to a long term impact) Will the PATCH Act provisions delay approval of medical devices? How accurate and complete are vendor generated SBOMs today? How will this be solved? What will be the impact of SBOM mandates? Differing views on the importance to society of attacks and outages in the agriculture / food industry I Am The Cavalry turns 10. We will need to have Josh back for a Part 2.…

Unsolicited Response

1
OTCEP Panel - Secure PLC Coding Practices 1:24:36

לפני 2 years1:24:36

1:24:36

This episode is a replay of a lively panel from the Cyber Security Agency of Singapore's OT Cybersecurity Expert Panel (OTCEP) last year. It begins with a great introduction to the Top 20 Secure PLC Coding Practices by Sarah Fluchs. At the 35 minute mark the panel discussion begins. There was a lot more disagreement and back and forth than the typical panel. This gives you a variety of points of view and positions to consider. Paul Griswold moderated the panel of Dr. Ong Chen Hui, Joel Langill, Sarah Fluchs and Dale Peterson. Links Top 20 Secure PLC Coding Practices 2023 OTCEP Event Page , August 22 - 23 in Singapore S4x24 Call For Presentations…

Unsolicited Response

1
Metrics: How Effective Is A Security Control? 49:56

לפני 2 years49:56

49:56

How much does a security control reduce cyber risk? What control or mix of controls provides the most efficient cyber risk reduction? Tough questions that a team of researchers at INL and Sandia tried to answer in a project. Two of the researchers, Jay Johnson of Sandia and Jake Gentle of INL, join Dale on the show to talk about the metrics and results. The project was Cyber Resilience for Wind Installations, but the metrics and results are applicable to every sector. We get into the weeds on this episode and discuss: how they created the test environment the two attack scenarios (and why only two and how easy it would be to expand) the physical resilience score the cyber resilience score the results from four different mixes of security controls areas for further testing and improvement and a tiny bit about trying to calculate an Expected Benefit from Cybersecurity Investment, which is a bit like ROI and how much money to spend. Links • Video: https://www.youtube.com/watch?v=bBLbLUFKzIc • IEEE Access Journal Paper: https://ieeexplore.ieee.org/document/10043706 • POWER magazine article: https://www.powermag.com/cyber-resilience-for-wind-power-installations/ • 2-page flyer: https://www.researchgate.net/publication/367074443_Cyber_Resilience_for_Wind_Installations_A_Cyber_Resilient_Reference_Architecture • Final project report: https://www.researchgate.net/publication/368599508_Hardening_Wind_Energy_Systems_from_Cyber_Threats-Final_Project_Report…

Unsolicited Response

1
S4x23 Closing Panel 40:09

לפני 2 years40:09

40:09

Ralph Langner, Megan Samford and Zach Tudor join Dale Peterson on the S4 Main Stage to close out S4x23. This Closing Panel is always an attendee favorite as none of these four are afraid to take a strong and even unconventional stance on at OT security topic or issue.

Unsolicited Response

1
Puesh Kumar, Director of CESER at US Dept of Energy 32:37

לפני 2 years32:37

32:37

Dale Peterson interview CESER Director Puesh Kumar on the S4x23 Main Stage. We discuss a number of CESER programs how they are measuring success, what has not worked, why they are doing some things industry is already doing and more. 5:30 Where is the CESER CRISP program (detection and information sharing) today? Has it stopped or reduced the impact (outages and others) of cyber attacks on the electric sector? How will they measure the success of this program? 10:40 What has CESER tried, thought it would work, and ended up failing? 14:05 CESER's CyTRICS program is testing vendor equipment? Why, does GE and Hitachi need help? And the results have been trivial vulnerabilities that could be found in hours. Why is CESER spending millions on this? 19:25 Cyber Informed Engineering (CIE) is it the same as Secure By Design? This is a long process, what will the early wins look like? Two years from now how will we know if we are succeeding? Maintaining a manual capability dominated the examples in the document, why hasn't this been highlighted in the program? How can we accelerate this? 25:20 Clean Energy Cyber Accelerator is looking at solutions (OT detection and MFA remote access to OT) that are well established with vendor offerings and asset owner deployments. Why is CECA doing this and trying to accomplish?…

Unsolicited Response

1
Chris Blask: Cybersecurity Pioneer and Idea Man 46:39

לפני 2 years46:39

46:39

Chris Blask has a long career bringing new ideas to reality. He currently is Vice President of Strategy at Cybeats, who has a SBOM Studio product. Cybeats is different in that SBOM Studio does not create SBOMs. This requires SBOMs to be available from somewhere, and Dale & Chris spend a lot of the podcast talking about the SBOM market today and in the future. What percentage of the OT software solutions have SBOMs today? What will that number be in three years, five years, seven years? When will the top 10% asset owners be able to be get value worth the effort from SBOMs and related tools and information? What will the SBOM marketplace look like? the DBOM.io project Of course being Dale and Chris, they deviate into a lot of other topics. Such as Chris's quotes: “Security comes through transparency and automation” “2020, this is the last decade of cybersecurity” “the last decade when entirely new fields will be discovered” I think we have covered the field.…

Unsolicited Response

1
Edgard from Nozomi (Part 2) 45:51

לפני 2 years45:51

45:51

The August 2021 Unsolicited Response episode with Edgard Capdevielle, CEO of Nozomi Networks, was a fan favorite. So Dale invited Edgard back, like the first time it was a wide ranging and fun conversation. His budget analogy of OT security and a new child in the family was Dale's favorite part. They cover a lot of ground including: the OT visibility and detection market growth in the last two years whether he stands by his 2021 view that a company that does "X, Y, Z and OT security" doesn't really do OT security how much of the back end (non-sensor) part of the market is moving to the cloud now and what will it be in three years. Plus some disagreements / discussion on architecture budget muscle and momentum what sort of metrics should an asset owner use to determine the value of these OT visibility and detection solutions how is the US Government affecting the market Enjoy!…

Unsolicited Response

1
Interview with Gene Spafford 30:39

לפני 2 years30:39

30:39

Dale Peterson interviews cybersecurity legend Gene Spafford on the S4x23 Main Stage. Some of what they cover is: how to deal with securing legacy systems the incredibly productive 3 years of firsts including host IDS, network IDS, honeypot, network vulnerability scanner, and more. What led to this amazing production? The upcoming 25th year of CERIAS His new book Cybersecurity Myths and Misconceptions ... Avoiding the Hazards and Pitfalls that Derail Us and digging into some of those myths (Cyber Offense is Easier than Defense, Sharing More Threat Intel Will Make Things Better, Everyone Should Solve A Given Cybersecurity Problem In The Same Way)…

Unsolicited Response

1
ICS Security: Q1 in Review 58:48

לפני 2 years58:48

58:48

Marty Edwards joins Dale Peterson to discuss the big stories of the first quarter of 2023. The US National Cybersecurity Strategy ISA / ISASecure starting an OT Site Assessment Certification Ransomware Affecting Operations (indirectly) Marty and Dale then give their win and fail for Q1 and a prediction.…

Unsolicited Response

1
The OT SBOM Market 50:05

לפני 2 years50:05

50:05

Dale Peterson talks with Matt Wyckhouse, Founder and CEO, of Finite State about where the SBOM products and market is today and where it will go in the future. This discussion was informed by the SBOM Challenge at S4x23. Who is the primary buyer of SBOM products and services today? (Hint: Matt thinks that 80% of the code in a product is third party) How accurate are the products, and the Finite State product in particular, in creating a SBOM? How much is the value of a SBOM degraded if it is not perfect? If it is missing software or has inaccuracies? Are the offerings now a product? A semi-custom service that uses a developed product? (with an apt comparison to the detection market) What will the US Government do with all these SBOMs if they actually get them? If they get an exponential increase in software inventory and the patching and cyber maintenance burden. Will there be a separate/distinct OT SBOM market? Will there be a SBOM market in the long run or will it get subsumed in some sort of asset management market? Early thoughts on the SBOM marketplace (a place to collect and distribute and respond to queries on SBOMs) Where is the industry / products now on VEX? Do configuration files belong in a SBOM? Surprise data points from the SBOM Challenge…

Unsolicited Response

1
Puesh Kumar - Director of Dept of Energy's CESER 32:48

לפני 2 years32:48

32:48

Dale Peterson interviewed Puesh Kumar on the S4x23 Main Stage. Puesh is the Director of the US Dept of Energy's Cybersecurity, Energy Security, & Emergency Response (CESER). The lead US Government OT cybersecurity agency in the energy sector. After Puesh gives a 3 minute overview on CESER, they dig into it. How are they measuring CRISP's detection and analysis progress? Has it stopped or limited the impact of any attacks? What is one of the CESER programs that didn't work and what did they learn from it? Why is the US Government testing products for GE, Hitachi and other large companies and questioning the results. The push for Cyber Informed Engineering and what success looks like Competing with industy and more ... CESER is tackling a lot so there was much to squeeze into 30 minutes…

ברוכים הבאים אל Player FM!

Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.