Unsolicited Response Podcast

Waterfall Security Solutions and ICSSTRIVE put out an annual threat report that Dale Peterson believes is the best in OT. Why? It only includes incidents that had physical consequences on systems monitored and controlled by OT.  Dale and Andrew discuss: What is in and out of scope for the report. The breakdown of the 68 incidents that occurred in 2023 by industry sector, cause, threat actor and more. The impact reporting requirements may have on these numbers in the future. What percentage of OT cyber incidents with physical consequences are made public. Ransomware on IT causing physical consequences, exfil v. encryption, and what asset owners should do given this represents 80% of the known incidents in the report. And more. Links: 2024 Threat Report: https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/2024-threat-report-ot-cyberattacks-with-physical-consequences/  ICSSTRIVE: https://icsstrive.com S4 Events YouTube Channel: https://youtube.com/s4events

Patrick Miller has OT cybersecurity experience as an asset owner, PacificCorp. As a regulator and one of the first NERC CIP auditors with WECC. As a community organizer creating and leading EnergySec and the BeerISAC. And as an entrepreneur creating and leading a number of consulting practices. He is currently the Founder of Ampyx Cyber.   In this episode Patrick and Dale discuss: Why Patrick changed the company name and selected Talinn as the location for the new European office. The major differences in approaches to OT cybersecurity and risk management between Europe and the US. (more than just regulatory differences) What has the EU learned or improved on regulation from NERC CIP. What is the current state of NERC CIP regulatory risk? Are the regulated entities understanding and meeting the standards’ requirements? The challenge of slow NERC CIP modifications, eg virtualization and cloud. Bad standard & good regulator v. good standard & bad regulator. Should water follow the NERC CIP

Emma Stewart joins Dale to discuss the 3 big OT & ICS security stories from the first quarter. They end by giving their win, fail and prediction for Q1.

In this solosode episode Dale reviews the status of his three predictions from the Q1, 2 and 3 quarter in review episodes and answers a listener question.

Dale is joined by Steve Pozza, CISA Section Chief of Operational Resilience, and Tom Millar, CISA Branch Chief of Resilience, to discuss some of CISA's security services for asset owners. They discuss: The Internet accessible attack surface enumeration and vulnerability scanning surface. Asset owners can buy products or services to do this. Why is the government doing this? What CISA is doing with this attack surface data? How is CISA measuring the success of this service offering? Other broadly available services and tools, the cybersecurity performance goals (CPG assessment) ~500 done in 2023 (and their thinking about self-assessments), Malcom traffic analysis tool, and a couple of other tools. Links CISA Vulnerability Scanning Services Malcolm Tool

Andrew Ginter published his third book this year: Engineering-Grade OT Security. Dale interviews Andrew on the book including: Who was the target reader that Andrew wrote the book for? Do (should) professional engineers lose their licenses for poor and dangerous cybersecurity design and deployments? The use of the term engineering grade, and how he defines it. Unhackable protection and safety controls as a major part of engineering grade. Unidirectional (one-way) network devices as the only security control listed as engineering grade. Is one-way from the enterprise network to the OT network engineering grade? Given the ICSSTRIVE/Waterfall report that 75% of all cyber incidents affecting operations are due to ransomware on IT, should asset owners prioritize address this issue or engineering grade security first? What is keeping Andrew working rather than retiring  Links Complete this form to get a free copy of the book

This week is a Dale Peterson solosode. Updates and Announcements Dale provides updates about S4x24 ticket sales and announces the Women In ICS Security program and sponsor package. Main Topics Asset Inventory in Cybersecurity: Dale challenges the common security mantra "You can't protect what you don't know," using examples from both physical and cyber domains. He notes many of the comments on this week's article missed the main point, and he gives hints on the next two asset inventory articles. Legal and Regulatory Issues in Cybersecurity: Dale emphasizes the importance of domain expertise whether it be cybersecurity or the legal profession. He previews upcoming keynote interviews with legal experts and advises cybersecurity professionals against making legal analyses without proper expertise. Artificial Intelligence in Cybersecurity: Dale reveals that most AI submissions for S4 were broad and hand wavy. This isn't wrong, but most have heard this info by now. He then discusses the need for focusing on spec

Kelly joins Dale to discuss her new book Security Chaos Engineering: Sustaining Resilience in Software and Systems. Kelly points out the second part of the title is the most descriptive, and she is not a big fan of the Chaos term that has taken hold. They discuss: A quick description of Security Chaos Engineering Is there similarity or overlap with the CCE or CIE approach? The value of decision trees Her view of checklists of security controls like CISA's CPG Lesson 1 - "Start in Nonproduction environments" The experiment / scientific method approach and how it can start small The Danger Zone: tight coupling and complex interactions How should ICS use Chaos Engineering

Don Weber joins Dale Peterson to describe his IACS STAR Methodology to score the risk of a vulnerability to an ICS (or IACS in 62443-speak). It is a modification of the OWASP Risk Rating Methodology. Don has modified some of the 16-factors to create IACS STAR. The methodology and code is available on GitHub and a calculator is available on line. Don and Dale discuss: What Don likes about the OWASP Risk Rating Potential issues with putting numbers to SME judgment Differences between IACS STAR and the OWASP Risk Rating The weighting of the 16 factors The future of IACS STAR Links Slides Discussed In The Show: https://dale-peterson.com/wp-content/uploads/2023/10/IACS-STAR.pdf IACS STAR GitHub Repo: https://github.com/cutaway-security/IACS_STAR_Methodology IACS STAR Calculator: https://iacs-star-calculator.com/iacs_star_calculator.html Cutaway Security Website: https://www.cutawaysecurity.com ICS-Patch Decision Tree: https://dale-peterson.com/wp-content/uploads/2020/10/ICS-Patch-0_1.pdf  

Dave Whitehead, CEO of SEL, joins Dale on the show to talk about: The new SEL printed circuit board (PCB) factory in Idaho. Why they bucked the trend and did this. The benefits, the ROI, and more. SEL's position on providing SBOMs to customers and their internal use of SBOMs - Where leaders tend to go wrong. Substation shootings Market acceptance of SEL's Blueframe virtual platform Links Dave Whitehead's previous appearance on the Unsolicited Response Show Want to advertise on the Unsolicited Response Show in 2024?

Dale and Nicole Sundin of Axio discuss CRQ, how to deal with the precision challenge, Axio's prioritization of impact, ransomware on IT affecting operations as an example, and more. They also discuss UX and the single pane of glass. Links Axio web site

Former Congressman and Presidential candidate Will Hurd is a rarity with a tech background in someone who was elected to the US Congress, and even rarer in someone running for President. Will graduated Texas A&M with Computer Science degree. Worked as a Senior Adviser to the cybersecurity company FusionX, which was acquired by Accenture. More recently he was on the board of OpenAI. This is probably one of the most technical interviews with a Presidential candidate you will hear. Dale asks Will: How he would rate CISA's performance (he co-sponsored the bill to create CISA)? Does the Executive Branch have the authority required to secure critical infrastructure? His views on Cyber Command / DoD policy of "defend forward"? The current level of Congress's technical literacy? What type of cybersecurity legislation, if any, Congress should pass?

Patrick Miller of Ampere Industrial Security joins Dale to discuss the three big stories of the quarter and give their win, fail and prediction. Stories US National Cybersecurity Strategy Implementation Plan + CISA 2024-2026 Strategic Plan The cybersecurity / OT cybersecurity vendor market news. We just had Cisco buy Splunk, plus the Dragos "extension", and SCADAfence selling to Honeywell. Seems like some tough times. Ransomware again … Port of Nagoya, Clorox, hospitals, CISA Ransomware Vulnerability Notification Service Links S4x24 Ticket Sales Ampere Industrial Security Critical Assets Podcast  

Dale Peterson was recently interviewed by Jay Johnson of Sandia and Tom Tansy of the Sunspec Alliance as part of their distributed energy resources (DER) Sunspec webinar series. We covered a lot of issues and Dale was not shy in throwing out some analysis and opinions. After 5 minutes discussing the S4x24 ticket process, the topics discussed:   How DER will deal with the complex, large number of users and stakeholders PKI environment. The Sunspec device security specification and the benefits of a limited, key set of security controls. What is the role of government regulation to solve DER security issues? The potential power of the utility companies to levy requirements and be a choke point for access. The Patch Act, FDA and DER. shift left and product liability due to security flaws and more

Marina Krotofil recently published the paper Industrial Control Systems: Engineering Foundations and Cyber-Physical Attack Lifecycle which is a detailed paper on cyber attacks that cause a physical impact on the system being monitored and controlled. It took Marina 1.5 years to write this paper, which is more accurately described as a short book. We discuss: the work she is doing to help Ukrainian critical infrastructure security during wartime what got Marina interested in cyber-physical security 10+ years ago the current understanding of cyber-physical in the OT security community Chapter 2: Engineering Foundations as a great intro for those in IT to understand basic automation principles Chapter 3: Very detailed explanation of a specific process (we don't spend much time on this) The Cyber-Physical Attack Lifecycle with emphasis on the Damage Loop. "Plant shutdown is risky for the attacker as it may instigate an investigation" Chapter 4.6 is a great conclusion