Weekend Must-Read: ICSs May Not Be Safe from Heartbleed after All

Just because you've changed your Facebook and Dropbox passwords (you have, haven't you?) doesn't mean you can forget about Heartbleed. According to the Christian Science Monitor's Saturday edition, "Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the...

Stanford University presentation on cyber security of industrial control systems

On October 12, 2011, I gave an invited presentation on cyber security of industrial control systems to a graduate electrical engineering colloquium at Stanford  -

What is Operations Technology (OT) and why is it important to secure ICSs

There are starting to be more discussions about the need for integration between Information Technology (IT) and Operations Technology (OT) to secure ICSs. From my experience, I have found very few effective OT managers. I believe an effective OT manager must be very familiar with ICSs and their constraints and...

Hard hat vs Black hat - the hype versus reality

The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype.

Is network security sufficient to secure industrial control systems (ICSs)?

There have been numerous articles, white papers, and webinars on securing industrial control systems (ICSs). Almost all have focused on securing the IP networks.  This is certainly part of the solution, but NOT the entire solution.

ACS 2011 Conference Summary - September 21

The final agenda can be found at There are several unique hallmarks of the conference:

Are we asking too much of existing industrial control systems?

If you ask users of industrial control system if they meet their design and performance requirements, I think you will find the answer is a resounding yes.  However, if you ask security personnel if they are secure, you will probably get a resounding no. What needs to be understood is...

Keep the lights on!

I had discussions with a utility IT cyber security representative at the June 1 San Francisco Electronic Crimes Task Force Quarterly Conference. The nub of the discord was the dissonance between myself worrying about “keeping lights on” at all costs and his focus of maintaining security at all costs.

ICS vendor security issue

Because of travel commitments, I have not been actively blogging. Yesterday nite, I gave a presentation at the IEEE Industry Applications Society in Concord, CA.  Today, I am flying to Albuquerque to give an invited presentation to an Air Force Cyber Security and Surety meeting.

The need for interdisciplinary programs for ICS Cyber Security

I have been asked to present a paper at the 2010World Congress in Computer Science, Computer Engineering, and Applied Computing (WorldComp 2010).  Our session is on cyber security education.  My paper will be on the need for interdisciplinary programs for ICS Cyber Security within the Computer Science and Engineering departments.