Industrial Control Systems (ICS)

The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

Meltdown and Spectre Overview On January 8, 2018, Revolutionary Security reported on Meltdown and Spectre, which are kernel-level vulnerabilities impacting the processing of unauthorized local memory. These vulnerabilities take advantage of a CPU feature called “speculative execution,” which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. The vulnerabilities reported in January take advantage of speculative execution and trick the processor to leak data returned from other applications under certain circumstances. The [...]

Check Yourself Before You Assess Yourself

7 Questions to Achieve Awareness of the Security Posture of Your Environment After working as a consultant for several years, I sometimes think back to my days as a SCADA security analyst for an oil and gas company.  If I knew then what I know now, how would I have done things differently? If I were responsible for keeping an oil and gas company’s assets, processes, and people safe from cyber threats, how would I go about doing that? Where [...]

Data Security, APT Activity, and Inherited Risk for ICS

In traditional IT security, there is heavy focus on data — data security, data breaches, data loss. It has often been said “it’s all about the data.” This generally isn’t the case for Industrial Control Systems (ICS). There are a few exceptions, but you will often hear discussion about the C-I-A triad for ICS where ‘C” (confidentiality) takes a lower priority position behind Availability and Integrity. I’d like to challenge this notion, not from the angle of data within [...]

Three Reasons to Add a Discovery Phase to Your Next OT Security Assessment

Many of us have accepted that having a 100% accurate inventory of “all the things” (networks, assets, data flows, etc.) is a pipe dream. To put it in NIST CSF terms, if you wait until you master the IDENTIFY function before you do anything in the remaining functions (PROTECT, DETECT, RESPOND, RECOVER), you will likely fail at securing even the most basic environments. So, the condition that Jeremiah Grossman describes in the Tweet below is the reality that we [...]

ICS Cybersecurity: 3 Reasons Why Periodic Technical Assessment (Still) Matters

“Our SCADA communications use AES256 and are 100% secure so we don’t worry too much about security.” That’s a real quote from a real Industrial Control System (ICS) manager from this decade. A technical assessment of that system proved otherwise—there were in fact real cybersecurity vulnerabilities that required immediate and long-term remediation. With all the headlines and activity around cybersecurity for ICS, owners and operators of this technology are challenged to determine what they should be doing to manage their [...]