S4 is the world's largest and most advanced ICS Security / SCADA Security and Operations Technology Event. The best in world, the influencers, 1,100 at the last event, gather in Miami South Beach every winter to Create The Future of OT and ICS security. S4x24 will be March 4 - 7.
Dale Peterson makes the S4 videos, and a lot of other content, available to foster the development of the ICS community and encourage future S4 sessions.
Пікірлер
Thank you.
Excellent presentation.
audio is very poor
This was an interesting talk. We never think about rail for some reason. Thanks Miki!
They know EXACTLY how to cut off the foreskin of male children!
What a great presentation and story! Also, Megan needs more caffeine... 😁
Great Video ,educative indeed
I enjoyed Colin’s talk in Miami live. 👍🏼
What a concept. Now, what language do we need to speak in order to explain this to the executives and business people calling the shots?
Wonderful success story - thank you for sharing!
Truly Impressive Patrick Miller and Dale Peterson
You two are the best. Great when you can be in the same convo.
very well explained. Appreciate the effort put into the speech.
Actually the original creator and 'coiner' of the phrase "Zero Trust" was Stephen Paul Marsh, in his doctoral thesis in 1994. You can google this to see its true. But odd, no credit that ive seen has been given to Stephen.
Thanks to Dale Peterson and the whole #S4x24 staff and community for their support for an extremely important principle, something that we should all keep an eye out for and know when to identify and when to push back or challenge.
Perhaps another way of looking at this issue is the normalization of complexity. Most engineers have the KISS (Keep It Simple, Stupid) principle hammered in to them from their very first internship job. But many software and network design firms seem to live by the principle of "putting things on top of other things" (yes, I am referring to that Monty Python sketch). When making the transition from basic pneumatic and electromechanical controls to software, and DCS/SCADA, we slid toward very significant complexity. A case study on how bad this can get can be found in a 2013 case of Bookout v. Toyota, where the Engine Controls could cause unintended acceleration. We haven't learned much since then. We're still putting things on top of other things. Maybe it is time to discuss limits.
Jake - I like it and a fan of Monty Python. The court case you mention is just one of many but definitely highlights the unintended risks we are subject to. Fixing digital problems with digital solutions in the principle of "putting things on top of other things" reminds me of a quote from Albert Einstein "We cannot solve our problems with the same thinking we used to create them" or something to that effect.. Dr. Trevor Kletz if alive today might be very vocal in this topic today...
Think of a control system at a small water utility no differently than an autopilot in a small plane. Autopilots do help. They enable flying to be much more precise and they improve economy. But you can fly them by hand. Civil Aircraft are supposed to be designed for dynamic stability (this is actual regulation). Failure of the automation is not an OMG I'm gonna fall out of the sky event. And neither is the automation at most small water utilities. Will it be less efficient? Yes. Will the quality of the water vary more? Yes. But the systems were originally designed to function without automation of any sort. As long as the attack against automation is recognized and maintained, (and there are protocols to discover and deal with automation failures), it will be a non-event.
Cybersecurity is illusion. 🤭
Yes… this is happening in many places.
What kind of intelligence, Dude? 😅
Reminds me of Common Block training at Goodfellow AFB decades ago.
Great vid
Great presentation
Ummm 1. The OSSTMM said trust is a vulnerability before this copy of zero trust existed. 2. Stephen Paul Marsh first created/coined zero trust in 1994. What happened to credit where credit due?
Good effort
Dale, any chance you could bring on each vendor to talk about current new tech and plans for innovation?? It seems all the innovation is coming from Danielle's team at Nozomi, but surely there are others?? Specifically around IoT. We are considering moving to NN depending on how this Guardian Air thing does, once they let us test it. Hopefully not all marketing buzz.
i had to look up what "OT" was and it sounds made-up and non-sensical, how is it different than IT?? just say IT
A government website for jobs as long as you're linked in you get a guaranteed check
This clown's leadership + corporate greed of ameriKKKan corporation = national security compromise
Awesome
Thank you for posting this. This video is good resource when thinking of cyber insurance for your organization. Insurance brokers tend to throw complicated terminology to C-suite members, which WILL cause confusion to the ones who are not familiar with both Cyber Security and Insurance business.
He forgot to mention the bionanomachines, for healthy big data
Jeff was really clear on the benefits and this was a great, relaxing presentation. Thanks! May not be a silver bullet but certainly sells like one!
Mr. Ginter's second book was rather expensive purchase and I still haven't opened it 😂 Maybe one day... Anyway, good interview!
the best
How can I find the 1st edition in pdf format? Can you help me please
Not a PDF, but it is available for sale at www.amazon.com/Industrial-Cybersecurity-Efficiently-critical-infrastructure/dp/1788395158/ref=sr_1_4?crid=111OZAS35533J&keywords=industrial+cybersecurity&qid=1701220797&sprefix=industrial+cybersecurity%2Caps%2C196&sr=8-4
My first introduction to Mr. Bochman was at the eye-opening "OT Security" presentation at the DoE Cyber event in Minneapolis MN. I knew we needed Andy at the Cyber Security Summit in Oct 2023 in our OT Cyber Track. Andy was gracious to offer his availability as a keynote speaker. I am looking forward to upcoming collaboration with Andy in 2023 and 2024.
OT Sequel to "I am here to tell you that OT engineering does not deserve to be called engineering." Sarah, S4 2019
great explanation
On asset inventory: I can sum up the value of a comprehensive OT asset inventory, or the lack thereof, by paraphrasing Klaus Schwab: You will know nothing and you will be happy. True! You won't know about all your vulnerabilities, and also about the many pathways of potential compromise (architecture is part of inventory). Once that you introduce a comprehensive OT asset inventory, the initial reaction will be shock. So many networks you didn't even know even existed. So many PLCs in the enterprise network. So many PCs running Windows 7. And so on. It's a classic red pill / blue pill scenario.
Cybersecurity initiatives are an ongoing process, and to be successful we need to grow professionals/ look for gifted children/ educate and train them.
Great insight, not bad at all.
gm
Thanks guys, good discussion! As a consultant I can only wish for customers mature enough for SBOMs 🤣Many are even struggling with CVEs... I guess it might be different with eg. F500 companies who have the resources to take things more seriously.
I hope it is ok if I write an unsolicited response to this podcast. To Axio how can you quantify cyber risk while ignoring likelihood? Isn't it more fair to call the field Cyber Impact Quantification if not tackling the likelihood quantification part of calculating risk? Also, yes if a buyer is seeking precision from CRQ in 2023 then they will probably be disappointed. You heard it from Nicole directly that the SME's are brought in to "tune" this impact system. Nailing CRQ value to precision is missing the point. The merit of CRQ in 2023 is the ability to consistently calculate risk using complex and methodical inputs, and inform decisions consistently despite differing facilities, times, conditions, etc. Compare CRQ in its adolescence to weather forecasts that have been evolving for hundreds/thousands of years. Are you surprised if a clear weather forecast is replaced by a rain day? Not likely. Do you still look at weather related metrics and indicators (these are quantification) to plan your vacation? Likely. Buyers needing precision might hold. Buyers seeking an actionable security program should look instead at CRQM platforms. Cyber Risk Quantification and Management was the next evolution from what Axio is describing.