Unsolicited Response

State Of NERC CIP, European Update and OT Security Community

Patrick Miller has OT cybersecurity experience as an asset owner, PacificCorp. As a regulator and one of the first NERC CIP auditors with WECC. As a community organizer creating and leading EnergySec and the BeerISAC. And as an entrepreneur creating and leading a number of consulting practices. He is currently the Founder of Ampyx Cyber.   In this episode Patrick and Dale discuss: Why Patrick changed the company name and selected Talinn as the location for the new European office. The ...

Book Interview: Introduction To SBOM And VEX

S4x24 Closing Panel

Q1: ICS Security In Review

Emma Stewart joins Dale to discuss the 3 big OT & ICS security stories from the first quarter. They end by giving their win, fail and prediction for Q1.

S4x24 Preview

Predictions Analyzed

In this solosode episode Dale reviews the status of his three predictions from the Q1, 2 and 3 quarter in review episodes and answers a listener question.

Q4 ICS Security Quarter In Review

CISA Attack Surface Scanning Service

Dale is joined by Steve Pozza, CISA Section Chief of Operational Resilience, and Tom Millar, CISA Branch Chief of Resilience, to discuss some of CISA's security services for asset owners. They discuss: The Internet accessible attack surface enumeration and vulnerability scanning surface. Asset owners can buy products or services to do this. Why is the government doing this? What CISA is doing with this attack surface data? How is CISA measuring the success of this service offering? ...

Engineering-Grade OT Security with Andrew Ginter

Andrew Ginter published his third book this year: Engineering-Grade OT Security. Dale interviews Andrew on the book including: Who was the target reader that Andrew wrote the book for? Do (should) professional engineers lose their licenses for poor and dangerous cybersecurity design and deployments? The use of the term engineering grade, and how he defines it. Unhackable protection and safety controls as a major part of engineering grade. Unidirectional (one-way) network devices as...

Asset Inventory, Lawyers, and AI

This week is a Dale Peterson solosode. Updates and Announcements Dale provides updates about S4x24 ticket sales and announces the Women In ICS Security program and sponsor package. Main Topics Asset Inventory in Cybersecurity: Dale challenges the common security mantra "You can't protect what you don't know," using examples from both physical and cyber domains. He notes many of the comments on this week's article missed the main point, and he gives hints on the next two asset inventor...

Is The Purdue Model Dead (E)

Kelly Shortridge - Security Chaos Engineering in ICS

Kelly joins Dale to discuss her new book Security Chaos Engineering: Sustaining Resilience in Software and Systems. Kelly points out the second part of the title is the most descriptive, and she is not a big fan of the Chaos term that has taken hold. They discuss: A quick description of Security Chaos Engineering Is there similarity or overlap with the CCE or CIE approach? The value of decision trees Her view of checklists of security controls like CISA's CPG Lesson 1 - "Start in...

IACS System Testing and Assessment Rating (STAR) Methodology with Don Weber

Don Weber joins Dale Peterson to describe his IACS STAR Methodology to score the risk of a vulnerability to an ICS (or IACS in 62443-speak). It is a modification of the OWASP Risk Rating Methodology. Don has modified some of the 16-factors to create IACS STAR. The methodology and code is available on GitHub and a calculator is available on line. Don and Dale discuss: What Don likes about the OWASP Risk Rating Potential issues with putting numbers to SME judgment Differences between IA...

Dave Whitehead On SBOMs, Manufacturing in the US, and more

Dave Whitehead, CEO of SEL, joins Dale on the show to talk about: The new SEL printed circuit board (PCB) factory in Idaho. Why they bucked the trend and did this. The benefits, the ROI, and more. SEL's position on providing SBOMs to customers and their internal use of SBOMs - Where leaders tend to go wrong. Substation shootings Market acceptance of SEL's Blueframe virtual platform Links Dave Whitehead's previous appearance on the Unsolicited Response Show Want to advertise on th...

Cyber Risk Quantification (CRQ) with Nicole Sundin

Dale and Nicole Sundin of Axio discuss CRQ, how to deal with the precision challenge, Axio's prioritization of impact, ransomware on IT affecting operations as an example, and more. They also discuss UX and the single pane of glass. Links Axio web site

Presidential Candidate Will Hurd

Former Congressman and Presidential candidate Will Hurd is a rarity with a tech background in someone who was elected to the US Congress, and even rarer in someone running for President. Will graduated Texas A&M with Computer Science degree. Worked as a Senior Adviser to the cybersecurity company FusionX, which was acquired by Accenture. More recently he was on the board of OpenAI. This is probably one of the most technical interviews with a Presidential candidate you will hear. Dale asks ...

ICS Security - Q3 In Review

Patrick Miller of Ampere Industrial Security joins Dale to discuss the three big stories of the quarter and give their win, fail and prediction. Stories US National Cybersecurity Strategy Implementation Plan + CISA 2024-2026 Strategic Plan The cybersecurity / OT cybersecurity vendor market news. We just had Cisco buy Splunk, plus the Dragos "extension", and SCADAfence selling to Honeywell. Seems like some tough times. Ransomware again … Port of Nagoya, Clorox, hospitals, CISA Ransomware...

Dale Peterson On The Sunspace Alliance Webinar

Dale Peterson was recently interviewed by Jay Johnson of Sandia and Tom Tansy of the Sunspec Alliance as part of their distributed energy resources (DER) Sunspec webinar series. We covered a lot of issues and Dale was not shy in throwing out some analysis and opinions. After 5 minutes discussing the S4x24 ticket process, the topics discussed:   How DER will deal with the complex, large number of users and stakeholders PKI environment. The Sunspec device security specification and the ben...

Cyber-Physical Attacks with Marina Krotofil

Marina Krotofil recently published the paper Industrial Control Systems: Engineering Foundations and Cyber-Physical Attack Lifecycle which is a detailed paper on cyber attacks that cause a physical impact on the system being monitored and controlled. It took Marina 1.5 years to write this paper, which is more accurately described as a short book. We discuss: the work she is doing to help Ukrainian critical infrastructure security during wartime what got Marina interested in cyber-physical...

SBOMs & CycloneDX with Steve Springett

Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs. In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX If you know the basics, skip to 14:24 where we get into the details Statistics on who is generating and u...

The OT Cybersecurity / Climate Nexus with Andy Bochman

At S4x23 Andy Bochman gave a Main Stage performance on the OT Cybersecurity / Climate Nexus. It's a new idea and Dale wanted to dig into it and understand it better. The discussion looks at where there is a nexus/connection/overlap and where there may be parallel efforts where each side might learn from the other. Links Andy Bochman S4x23 Video Slide used in this episode Earlier episode with Dale and Andy discussing CCE S4x24 Call For Presentations

Water Sector Cyber Risk with Gus Serino

Gus Serino worked at a large water utility before joining Dragos in 2019. We're talking water sector so it's obligatory to start with Oldsmar (2:20), but we don't talk cyber. Instead we go through the physical portion of the water system assuming the attacker is able to issue the command to the pump to dump a lot of sodium hydroxide into the water system and what would likely happen. Importantly Gus identifies the simple, unhackable solution to this threat. A hard wired PH sensor that will s...

One-Way, SAIDI & S4x24 CFP

This is a solo-sode where Dale reviews two articles from July with comments on comments and additional thoughts. The final section is a must listen if you are going to submit to speak on the S4x24 Stage. The times below are so you can skip to what you are interested in. 1:29 One-Way Data Diodes and School Zones 10:15 SAIDI: What Cyber Incidents Should Be Excluded From Metrics 16:05 Do's and Don'ts For Your S4x24 CFP Submission Links Subscribe to Dale's Friday ICS Security News & No...

Interview with HD Moore

HD Moore is most famous for his creation of the Metasploit penetration testing framework. It began in 2003 and hit the OT world in 2011. HD is now the Founder and CTO of RunZero, another cybersecurity startup that is starting to play in the OT Space.   In this episode we spend the first third of the show talking about Metasploit ... early reaction, OT modules, is Metasploit still necessary and useful today.   We then shift to creating asset inventories in IT and OT, which is what Run...

US Dept of Energy's OT Defender Fellowship Program

Dale is often critical of the US Government's efforts and programs to address OT cyber risk. So it's a pleasure to highlight a program that is working. Samantha Ravich, Chair of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, joins Dale to discuss the US Department of Energy's OT Defender Fellowship Program. They begin by describing the program, its goals, what are ideal candidates for the program, and the early results from the first few c...

Eric Cosman On Dow, Open Automation, 62443 & More

Eric Cosman had a 38 year career at Dow Chemical, was on the ISA 99 committee its inception, and then he retired. After retirement Eric joined ARC Advisory Group as a Contributing Consultant and got even more active with ISA. He is a long time co-chair of ISA99 and was President of ISA in 2020. Eric and Dale discuss: Dow's in house developed DCS and SIS: MOD Eric's top trend from 2022: The value of open automation and the Open Process Automation Forum ISA/IEC 62433 Eric's view they are "...

ICS Security Quarter In Review Q2-2023

Mark Hyman of Verge Management Group joins Dale to discuss the big 3 stories of Q2 along with their win, fail and predication. Big Stories The OT Security Layoffs (Mark is a recruiter specialized in ICS/OT security) Still No US National Cyber Director? The Merck NotPetya Insurance Claim Ruling Plus they both have a win, fail and prediction at the end.

Josh Corman - Healthcare Security, SBOMs & More

Josh Corman is the VP of Cyber Safety Strategy at Claroty, was the Chief Strategist of the CISA COVID Task Force, and founder of I Am The Cavalry. Josh and I dive into Healthcare Security, SBOMs and other topics.  Can OT in healthcare be treated in a similar way as the factory, power plant, water treatment plant, ... ?  The first fatality due to a cyber attack on a hospital. Should we be focusing our efforts on reducing the impact if ransomware hits a healthcare facility? What is the eq...

OTCEP Panel - Secure PLC Coding Practices

This episode is a replay of a lively panel from the Cyber Security Agency of Singapore's OT Cybersecurity Expert Panel (OTCEP) last year. It begins with a great introduction to the Top 20 Secure PLC Coding Practices by Sarah Fluchs. At the 35 minute mark the panel discussion begins. There was a lot more disagreement and back and forth than the typical panel. This gives you a variety of points of view and positions to consider. Paul Griswold moderated the panel of Dr. Ong Chen Hui, Joel Lan...

Metrics: How Effective Is A Security Control?

How much does a security control reduce cyber risk? What control or mix of controls provides the most efficient cyber risk reduction? Tough questions that a team of researchers at INL and Sandia tried to answer in a project. Two of the researchers, Jay Johnson of Sandia and Jake Gentle of INL, join Dale on the show to talk about the metrics and results. The project was Cyber Resilience for Wind Installations, but the metrics and results are applicable to every sector. We get into the weeds...

S4x23 Closing Panel

Ralph Langner, Megan Samford and Zach Tudor join Dale Peterson on the S4 Main Stage to close out S4x23. This Closing Panel is always an attendee favorite as none of these four are afraid to take a strong and even unconventional stance on at OT security topic or issue.

Puesh Kumar, Director of CESER at US Dept of Energy

Dale Peterson interview CESER Director Puesh Kumar on the S4x23 Main Stage. We discuss a number of CESER programs how they are measuring success, what has not worked, why they are doing some things industry is already doing and more. 5:30 Where is the CESER CRISP program (detection and information sharing) today? Has it stopped or reduced the impact (outages and others) of cyber attacks on the electric sector? How will they measure the success of this program? 10:40 What has CESER tried,...

Chris Blask: Cybersecurity Pioneer and Idea Man

Chris Blask has a long career bringing new ideas to reality. He currently is Vice President of Strategy at Cybeats, who has a SBOM Studio product. Cybeats is different in that SBOM Studio does not create SBOMs. This requires SBOMs to be available from somewhere, and Dale & Chris spend a lot of the podcast talking about the SBOM market today and in the future. What percentage of the OT software solutions have SBOMs today? What will that number be in three years, five years, seven years? ...

Edgard from Nozomi (Part 2)

The August 2021 Unsolicited Response episode with Edgard Capdevielle, CEO of Nozomi Networks, was a fan favorite. So Dale invited Edgard back, like the first time it was a wide ranging and fun conversation. His budget analogy of OT security and a new child in the family was Dale's favorite part. They cover a lot of ground including: the OT visibility and detection market growth in the last two years whether he stands by his 2021 view that a company that does "X, Y, Z and OT security" do...

Interview with Gene Spafford

Dale Peterson interviews cybersecurity legend Gene Spafford on the S4x23 Main Stage. Some of what they cover is: how to deal with securing legacy systems the incredibly productive 3 years of firsts including host IDS, network IDS, honeypot, network vulnerability scanner, and more. What led to this amazing production? The upcoming 25th year of CERIAS His new book Cybersecurity Myths and Misconceptions ... Avoiding the Hazards and Pitfalls that Derail Us and digging into some of those m...

ICS Security: Q1 in Review

Marty Edwards joins Dale Peterson to discuss the big stories of the first quarter of 2023. The US National Cybersecurity Strategy ISA / ISASecure starting an OT Site Assessment Certification Ransomware Affecting Operations (indirectly) Marty and Dale then give their win and fail for Q1 and a prediction.

The OT SBOM Market

Dale Peterson talks with Matt Wyckhouse, Founder and CEO, of Finite State about where the SBOM products and market is today and where it will go in the future. This discussion was informed by the SBOM Challenge at S4x23. Who is the primary buyer of SBOM products and services today? (Hint: Matt thinks that 80% of the code in a product is third party) How accurate are the products, and the Finite State product in particular, in creating a SBOM? How much is the value of a SBOM degraded if ...

Puesh Kumar - Director of Dept of Energy's CESER

Dale Peterson interviewed Puesh Kumar on the S4x23 Main Stage. Puesh is the Director of the US Dept of Energy's Cybersecurity, Energy Security, & Emergency Response (CESER). The lead US Government OT cybersecurity agency in the energy sector. After Puesh gives a 3 minute overview on CESER, they dig into it. How are they measuring CRISP's detection and analysis progress? Has it stopped or limited the impact of any attacks? What is one of the CESER programs that didn't work and what did t...

Book Interview: Industrial Cybersecurity with Steve Mustard

Steve Mustard took his 30 years of experience and wrote Industrial Cybersecurity: Case Studies and Best Practices, published by ISA. After talking about who the book is for and the writing process, Dale and Steve dig into the details.  Given Steve's longtime involvement and leadership with ISA, it's not surprising the book leans heavily on ISA/IEC 62443. They talk chapters on architecture, certification, optimism / pessimism, risk management and a fundamental misunderstanding of IT by OT....

Cyber Persistence Theory

Dale's interview with Michael Fischerkeller, co-author of the bood Cyber Persistence Theory. The first half of the interview digs into Cyber Persistence Theory. Why Michael believes cyber is a new and third strategic environment (in addition to conventional and nuclear) What is meant by cyber being an environment of exploitation and not coercion The theory's different use of initiative and why the theory believes it is the important element to winning ("initiative rather than restraint ...

OT Managed Security Services - 1898 & Co.

Matt Morris and Mark Mattei of 1898 & Co. joined Dale to talk OT Managed Security Services as 1898 recently introduced an OT Managed Threat Protection and Response service. The discussion included: what they are monitoring in the OT environment the OT MSP competitive landscape (OT detection vendors, ICS vendors, large consulting vendors, ...) can you / should you monitor OT separate from IT how 1898 deals with competing partners (such as Claroty, Dragos and Nozomi) that they resell an...

Interview with Bill Fehrman of Berkshire Hathaway Energy

Bill Fehrman is the CEO of Berkshire Hathaway Energy, co-chair of the Electricity Subsector Coordinating Council, and chair of the E-ISAC. The major topics Dale and Bill discuss include: The US Government / Electric Sector information sharing program around detection information and threat intel. Have they stopped or reduced the impact of attacks? What are the metrics they are using to determine if these resources are worth it? How is the industry and BHE positioned to recovery from a ma...

ICS Village Talks About ICS CTF At S4x23

Tom VanNorman and Don Weber join Dale to describe the ICS Capture The Flag competition they will be running at S4x23, Feb 13 - 16 in Miami South Beach. S4x23 web site  

Women In ICS Security

Donna Cusimano, Kim Legelis, and Saltanat Mashirov join Dale Peterson to talk about the Women In ICS Security Program at S4x23, Feb 13-16 in Miami South Beach. (see s4xevents.com/women). These are three of a team of volunteers that have put together important career, education, and networking opportunities for the 100 free Women in ICS Security ticket holders and another ~150 women who will attend on a paid ticket. Really impressed and looking forward to seeing what this will accomplish.

Ralph Langner on OT Asset Management

Ralph Langner joins Dale on the Unsolicited Response Show to discuss Asset Management. They begin with the need for more exploration in OT, and more failures. After that they tackle: - Why Ralph decided to shift his company and focus from consulting / speaking to product - Is his OT Base, and asset management, a security product? - What are the elements of asset management? Do they all belong in one product? - OT, asset management and other, with ServiceNow and other enterprise solut...

Dino on the DCOM Patch

Dino Busalachi of Velta Technology talks to Dale about a 2021 security patch to DCOM that broke a number of ICS systems including Rockwell Automation and Siemens. Microsoft had a registry setting that disabled the patch and the incompatibility problem, but this ability to disable the patch goes away on 14 March 2023. Of course this topic leads us down the patching in ICS rabbit hole, hopefully with some informed and helpful information. 

Moody's: Cyber Risk and Credit Ratings

On the latest #unsolicitedresponse show I talk with Jim Hempstead, Managing Director of Moody's Global Project & Infrastructure Finance Group with Moody's Investors Service, about OT Cyber Risk and how this impacts Credit Ratings.  - What Moody's does and what became of the cyber risk effort at Moody's owned Visible Risk - Moody's analysis of cyber insurance market including some cyber loss ratio numbers - Why Moody's believes USG disclosure and regulations are "Credit Positive" - Wh...

Sept 2022 - ICS Security Month In Review

Dale Peterson gives his thoughts on the top 3 ICS security stories in Sept 2022, and he gives his wins, fails, and predictions for the month.

The Water Sector (Uniqueness, Cloud, Oldsmar, NERC CIP)

On this episode of the Unsolicited Response show, Dale Peterson is joined by Kevin Morley of the American Water Works Association and Joel Cox of West Yost Associates to talk about ICS security and the Water Sector. - what makes the water sector unique? - does this uniqueness lead to early and better use of the cloud for operations? - how did the community deal with Oldsmar? - why in the world would the water sector want to follow the NERC CIP model?

SBOM ... Challenge & Thoughts

Dale Peterson shares his thoughts on SBOMS in OT in three main areas: 1) The S4 SBOM Challenge ... it's three goals and what we hope to learn from it. 2) Near term, now and for the next 2 years, wins for asset owners and SBOMs. 3) What will determine the winners in the SBOM marketplace, early analysis.  Links: S4x23 Tickets S4x23 Hotel Info SBOM Challenge Dale's SBOM Content Page