Cybersecurity continues to be a big problem for the world at large and for control systems specifically. The amount of time and effort that it can take to simply keep all of the security patches up to date on a large control system can be mind boggling. No…
The Department of Homeland Security (DHS) is tasked with many things. One area of focus is Industrial Control Systems (ICS). The Industrial Control Systems Joint Working Group (ICSJWG) was formed to facilitate this focus. This group holds semi-annual conferences (Spring and Fall) in various US cities. These meetings…
About 5 years ago I was sitting around a big table in a conference room at a major LNG terminal. Outside the window I could see a big city harbor filled with boats, bridges, sky scrapers and approximately 5 million people. I could also see two huge LNG storage…
A Year in Review: Functional Safety and Cybersecurity in 2015
Good things happened in the fields of functional safety and control system cybersecurity in 2015. I am not going to include the exciting new Star Wars movie as an event in the list as it does not really fit into the topic. But keeping focused, my highlights is 2015…
An Integrator’s Guide to Managing the Cybersecurity Risks of Remote Access
Last week I attended the ISA Water/Wastewater and Automatic Controls Symposium in Bethesda, Maryland. The conference was attended by equipment manufacturers and municipalities, but system integrators composed the largest group. The technical sessions mainly discussed new opportunities for implementing the industrial internet of things (IoT) and cybersecurity…
Are Cybersecurity Servers Making Your ICS Less Cyber Secure?
ICS cybersecurity standards such as ISA 62443 (formerly ISA 99) and NERC CIP require operators to have policies and procedures in place to monitor and maintain their critical ICS cyber assets. For anything other than very small systems, the obvious choice is to implement systems…
I don’t know whether you’ve noticed recently, but the number of cybersecurity alerts issued by CISA (Cybersecurity and Infrastructure Security Agency) seems to be increasing at an alarming rate. The latest alert I’ve seen now relates to GPS tracking systems for children. A device which is supposed to keep…
Attack on Florida Water System Highlights Weak Security Protections for Critical Infrastructure
The Oldsmar Water Treatment Facility in Pinellas County Florida was compromised by hackers on February 5th. Hackers took advantage of the TeamViewer application that was still installed on the water facilities network to gain remote access1. The TeamViewer was originally installed to allow for status checks and troubleshooting of…
In today’s automation systems environment, certain myths continue to persist. For example, "cyber attacks are only a concern for big companies". Although it may be less likely to be targeted by, say, a nation state attack, we’ve seen that malware can cause a shutdown of a system or trigger a…
Automation Cybersecurity: IT vs OT - Differing Priorities
Before you can dive in and look at the core concept of automation cybersecurity, it's helpful to first define it. Automation cybersecurity is the prevention of intentional or unintentional interference with proper operation of automation systems including industrial controls, smart manufacturing, and IIOT systems through the use of computers,…
Preparedness is defined as being in a state of readiness (Webster, 2022). This can take many different forms but when it comes to cybersecurity, a big part is knowing what threats lie in wait within the cyber landscape. It’s difficult to prepare against threats or vulnerabilities you don’t know exist. Being able…
Personnel responsible for protecting organizational assets within Operations Technology (OT) groups would seem to have the same mission as those responsible for protecting organizational assets within Information Technology (IT) groups, and be tightly aligned. Spending any amount of time with Industrial Control System (ICS) clients, however, shows that is…
Cyberattacks have become the new norm for industrial control systems. A recent study found that 54% (more than half) of companies surveyed had experienced a cyber-attack on their Industrial control system within the last two years[1].
The need for well-trained, competent individuals to address cybersecurity for industrial control systems…
Contractor Cybersecurity Training - Why Do You Need It?
Today, we are going to talk a little bit about Contractor Cyber Training. What's in a good contractor cyber training course? Why do you need one? Why aren't policies, practices, and contract language enough?
Today's operators of industrial production facilities frequently utilize contract…
One of the things that automation companies are beginning to do is to plan for cyber hygiene. More and more companies are implementing automation specific awareness training for their employees. They conduct periodic exercises which like sending phishing emails to see who if you respond. They might leave USB…
Cyber Risk Assessments and Security Level Verification: Detailed Risk Assessments (Part 2 of 3)
The exposure of industrial facilities to cybersecurity threats has never been higher. An analysis performed by IBM security found that the number of attacks on SCADA systems increased 636% from 2012 to 2014, with 675,816 cybersecurity incidents in January 20141. Finding an effective method for evaluating the current level…
Cyber Risk Assessments and Security Level Verification: High-Level Risk Assessments (Part 1 of 3)
As the number, scale, and connectivity of industrial automation systems continues to grow, it becomes increasingly crucial to fundamentally understand, evaluate, and manage cybersecurity risks. The objective of an effective cybersecurity management program should be to maintain the industrial automation system consistent with corporate risk criteria.
The exida explains blog has been around for over five years and gives expert and sometimes candid insight into the world functional safety, alarm management, and industrial cybersecurity.