Technical Assessments for ICS—Know the Risks

Technical Assessments for ICS—Know the Risks

Although value can be derived from offline methods such as paper-based framework assessments, many critical discoveries can only be uncovered through a technical assessment using online, active assessment techniques.

The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

Meltdown and Spectre Overview On January 8, 2018, Revolutionary Security reported on Meltdown and Spectre, which are kernel-level vulnerabilities impacting the processing of unauthorized local memory. These vulnerabilities take advantage of a CPU feature called “speculative execution,” which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. The[...]

Check Yourself Before You Assess Yourself

Check Yourself Before You Assess Yourself

7 Questions to Achieve Awareness of the Security Posture of Your Environment After working as a consultant for several years, I sometimes think back to my days as a SCADA security analyst for an oil and gas company.  If I knew then what I know now, how would I have done things differently? If I were responsible for keeping an oil and gas company’s assets, processes, and people safe from cyber[...]

The Three Critical Misses of a Tool-focused Cybersecurity Investment Strategy

The Three Critical Misses of a Tool-focused Cybersecurity Investment Strategy

As cybersecurity consultants, we see this scenario way too often: Company X has a wakeup call regarding cybersecurity. This often comes in the form of a compromise or breach but sometimes can be more subtle such as discovery of malware in a sensitive environment or a board-level mandate. Immediate action calls are made for 30, 60, or 90 day action plans. Budgets are made available and those in[...]

Three Reasons to Add a Discovery Phase to Your Next OT Security Assessment

Three Reasons to Add a Discovery Phase to Your Next OT Security Assessment

Many of us have accepted that having a 100% accurate inventory of “all the things” (networks, assets, data flows, etc.) is a pipe dream. To put it in NIST CSF terms, if you wait until you master the IDENTIFY function before you do anything in the remaining functions (PROTECT, DETECT, RESPOND, RECOVER), you will likely fail at securing even the most basic environments. So, the condition that[...]

ICS Cybersecurity: 3 Reasons Why Periodic Technical Assessment (Still) Matters

ICS Cybersecurity: 3 Reasons Why Periodic Technical Assessment (Still) Matters

“Our SCADA communications use AES256 and are 100% secure so we don’t worry too much about security.” That’s a real quote from a real Industrial Control System (ICS) manager from this decade. A technical assessment of that system proved otherwise—there were in fact real cybersecurity vulnerabilities that required immediate and long-term remediation.