Unsolicited Response

Unsolicited Response with Maggie Morganti

Dale Peterson discusses with Maggie how she got into OT security, her recent move to the Financial Sector, women in ICS security, and more.

S4x25 Feedback & Review

If you're not interested in S4, skip this episode. Dale goes over the feedback from the survey and S4 Event's own thoughts on the event, Tampa, and more.

Joel Langill On His New OT Security Training Class And More

Dale Peterson speaks with Joel Langill, the SCADAHacker, about his new training course entitled Conducting Threat, Vulnerability, and Risk Assessments For ICS. A two day version of this course will be offered prior to S4x25 . Of course Dale and Joel jump around a bit on training, the workforce and other items. Take a listen.

S4x24 Main Stage Interview With Stewart Baker

Stewart Baker is one of the preeminent lawyers on topics of cyber law with an impressive career in and out of government. Stewart also hosts the Cyberlaw podcast. The Biden administration is contending that vendors should be held liable for security deficiencies in their products. Assuming this is turned into law and/or executive orders, what does it mean? What can we learn from other liability law to inform us what would be required for a vendor to be held liable for a security issue? How would...

S4x24 Main Stage Interview With Rob Lee

Dale Peterson interviews Rob Lee on the S4 Main Stage. They cover a lot of ground and Rob is never shy about sharing his opinions and analysis. They discuss: Rob’s first S4 PIPEDREAM deployed v. employed distinction … and why 2 years later is it still the most dangerous ICS malware? Are we really more homogenous? What makes a group something that Rob/Dragos tracks as an ICS focused attacker? If the answer to intel is do the basics, do I need intel? What ICS specific data was VOLTZITE exfiltratin...

Chris Hughes, Author of Effective Vulnerability Management

Chris Hughes and Nikki Robinson recently wrote the book Effective Vulnerability Management. Dale and Chris discuss the topic and book including: The definition and scope of vulnerabilities. It’s much more than coding errors that need patches. Are ICS protocols lacking authentication “vulnerabilities” The reality that most organizations have 100’s of thousands of unpatched vulnerabilities. Some statistics and will this change. Ways to prioritize what vulnerabilities you address. The SSVC decision...

2024 Threat Report – OT Cyber Attacks with Physical Consequences

Waterfall Security Solutions and ICSSTRIVE put out an annual threat report that Dale Peterson believes is the best in OT. Why? It only includes incidents that had physical consequences on systems monitored and controlled by OT. Dale and Andrew discuss: What is in and out of scope for the report. The breakdown of the 68 incidents that occurred in 2023 by industry sector, cause, threat actor and more. The impact reporting requirements may have on these numbers in the future. What percentage of OT ...

State Of NERC CIP, European Update and OT Security Community

Patrick Miller has OT cybersecurity experience as an asset owner, PacificCorp. As a regulator and one of the first NERC CIP auditors with WECC. As a community organizer creating and leading EnergySec and the BeerISAC. And as an entrepreneur creating and leading a number of consulting practices. He is currently the Founder of Ampyx Cyber. In this episode Patrick and Dale discuss: Why Patrick changed the company name and selected Talinn as the location for the new European office. The major differ...

Book Interview: Introduction To SBOM And VEX

S4x24 Closing Panel

Q1: ICS Security In Review

Emma Stewart joins Dale to discuss the 3 big OT & ICS security stories from the first quarter. They end by giving their win, fail and prediction for Q1.

S4x24 Preview

Predictions Analyzed

In this solosode episode Dale reviews the status of his three predictions from the Q1, 2 and 3 quarter in review episodes and answers a listener question.

Q4 ICS Security Quarter In Review

CISA Attack Surface Scanning Service

Dale is joined by Steve Pozza, CISA Section Chief of Operational Resilience, and Tom Millar, CISA Branch Chief of Resilience, to discuss some of CISA's security services for asset owners. They discuss: The Internet accessible attack surface enumeration and vulnerability scanning surface. Asset owners can buy products or services to do this. Why is the government doing this? What CISA is doing with this attack surface data? How is CISA measuring the success of this service offering? Other broadly...

Engineering-Grade OT Security with Andrew Ginter

Andrew Ginter published his third book this year: Engineering-Grade OT Security . Dale interviews Andrew on the book including: Who was the target reader that Andrew wrote the book for? Do (should) professional engineers lose their licenses for poor and dangerous cybersecurity design and deployments? The use of the term engineering grade, and how he defines it. Unhackable protection and safety controls as a major part of engineering grade. Unidirectional (one-way) network devices as the only sec...

Asset Inventory, Lawyers, and AI

This week is a Dale Peterson solosode. Updates and Announcements Dale provides updates about S4x24 ticket sales and announces the Women In ICS Security program and sponsor package. Main Topics Asset Inventory in Cybersecurity: Dale challenges the common security mantra "You can't protect what you don't know," using examples from both physical and cyber domains. He notes many of the comments on this week's article missed the main point, and he gives hints on the next two asset inventory articles....

Is The Purdue Model Dead (E)

Kelly Shortridge - Security Chaos Engineering in ICS

Kelly joins Dale to discuss her new book Security Chaos Engineering: Sustaining Resilience in Software and Systems . Kelly points out the second part of the title is the most descriptive, and she is not a big fan of the Chaos term that has taken hold. They discuss: A quick description of Security Chaos Engineering Is there similarity or overlap with the CCE or CIE approach? The value of decision trees Her view of checklists of security controls like CISA's CPG Lesson 1 - "Start in Nonproduction ...

IACS System Testing and Assessment Rating (STAR) Methodology with Don Weber

Don Weber joins Dale Peterson to describe his IACS STAR Methodology to score the risk of a vulnerability to an ICS (or IACS in 62443-speak). It is a modification of the OWASP Risk Rating Methodology. Don has modified some of the 16-factors to create IACS STAR. The methodology and code is available on GitHub and a calculator is available on line. Don and Dale discuss: What Don likes about the OWASP Risk Rating Potential issues with putting numbers to SME judgment Differences between IACS STAR and...

Dave Whitehead On SBOMs, Manufacturing in the US, and more

Dave Whitehead, CEO of SEL, joins Dale on the show to talk about: The new SEL printed circuit board (PCB) factory in Idaho. Why they bucked the trend and did this. The benefits, the ROI, and more. SEL's position on providing SBOMs to customers and their internal use of SBOMs - Where leaders tend to go wrong. Substation shootings Market acceptance of SEL's Blueframe virtual platform Links Dave Whitehead's previous appearance on the Unsolicited Response Show Want to advertise on the Unsolicited Re...

Cyber Risk Quantification (CRQ) with Nicole Sundin

Dale and Nicole Sundin of Axio discuss CRQ, how to deal with the precision challenge, Axio's prioritization of impact, ransomware on IT affecting operations as an example, and more. They also discuss UX and the single pane of glass. Links Axio web site

Presidential Candidate Will Hurd

Former Congressman and Presidential candidate Will Hurd is a rarity with a tech background in someone who was elected to the US Congress, and even rarer in someone running for President. Will graduated Texas A&M with Computer Science degree. Worked as a Senior Adviser to the cybersecurity company FusionX, which was acquired by Accenture. More recently he was on the board of OpenAI. This is probably one of the most technical interviews with a Presidential candidate you will hear. Dale asks Wi...

ICS Security - Q3 In Review

Patrick Miller of Ampere Industrial Security joins Dale to discuss the three big stories of the quarter and give their win, fail and prediction. Stories US National Cybersecurity Strategy Implementation Plan + CISA 2024-2026 Strategic Plan The cybersecurity / OT cybersecurity vendor market news. We just had Cisco buy Splunk, plus the Dragos "extension", and SCADAfence selling to Honeywell. Seems like some tough times. Ransomware again … Port of Nagoya, Clorox, hospitals, CISA Ransomware Vulnerab...

Dale Peterson On The Sunspace Alliance Webinar

Dale Peterson was recently interviewed by Jay Johnson of Sandia and Tom Tansy of the Sunspec Alliance as part of their distributed energy resources (DER) Sunspec webinar series. We covered a lot of issues and Dale was not shy in throwing out some analysis and opinions. After 5 minutes discussing the S4x24 ticket process, the topics discussed: How DER will deal with the complex, large number of users and stakeholders PKI environment. The Sunspec device security specification and the benefits of a...

Cyber-Physical Attacks with Marina Krotofil

Marina Krotofil recently published the paper Industrial Control Systems: Engineering Foundations and Cyber-Physical Attack Lifecycle which is a detailed paper on cyber attacks that cause a physical impact on the system being monitored and controlled. It took Marina 1.5 years to write this paper, which is more accurately described as a short book. We discuss: the work she is doing to help Ukrainian critical infrastructure security during wartime what got Marina interested in cyber-physical securi...

SBOMs & CycloneDX with Steve Springett

Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs. In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX If you know the basics, skip to 14:24 where we get into the details Statistics on who is generating and using Cycl...

The OT Cybersecurity / Climate Nexus with Andy Bochman

At S4x23 Andy Bochman gave a Main Stage performance on the OT Cybersecurity / Climate Nexus. It's a new idea and Dale wanted to dig into it and understand it better. The discussion looks at where there is a nexus/connection/overlap and where there may be parallel efforts where each side might learn from the other. Links Andy Bochman S4x23 Video Slide used in this episode Earlier episode with Dale and Andy discussing CCE S4x24 Call For Presentations...

Water Sector Cyber Risk with Gus Serino

Gus Serino worked at a large water utility before joining Dragos in 2019. We're talking water sector so it's obligatory to start with Oldsmar (2:20), but we don't talk cyber. Instead we go through the physical portion of the water system assuming the attacker is able to issue the command to the pump to dump a lot of sodium hydroxide into the water system and what would likely happen. Importantly Gus identifies the simple, unhackable solution to this threat. A hard wired PH sensor that will shut ...

One-Way, SAIDI & S4x24 CFP

This is a solo-sode where Dale reviews two articles from July with comments on comments and additional thoughts. The final section is a must listen if you are going to submit to speak on the S4x24 Stage. The times below are so you can skip to what you are interested in. 1:29 One-Way Data Diodes and School Zones 10:15 SAIDI: What Cyber Incidents Should Be Excluded From Metrics 16:05 Do's and Don'ts For Your S4x24 CFP Submission Links Subscribe to Dale's Friday ICS Security News & Notes Info a...