Integrity of Things

Integrity of Things

Supercharge your hardware security in IoT devices The IoT marketplace moves fast, and device vendors continuously struggle to balance speed to market with implementing proper security measures. When devices cross over between industrial control systems (ICS) and IoT connectivity (often referred to as Industrial IoT or IIoT) ensuring deployed devices are properly secure becomes paramount to[...]

Technical Assessments for ICS—Know the Risks

Technical Assessments for ICS—Know the Risks

Although value can be derived from offline methods such as paper-based framework assessments, many critical discoveries can only be uncovered through a technical assessment using online, active assessment techniques.

The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

The Vulnerability That Keeps On Giving: Seven New Variations of Spectre and Meltdown Discovered

Meltdown and Spectre Overview On January 8, 2018, Revolutionary Security reported on Meltdown and Spectre, which are kernel-level vulnerabilities impacting the processing of unauthorized local memory. These vulnerabilities take advantage of a CPU feature called “speculative execution,” which is leveraged by the CPU to optimize performance by running tasks that may not actually be required. The[...]

Check Yourself Before You Assess Yourself

Check Yourself Before You Assess Yourself

7 Questions to Achieve Awareness of the Security Posture of Your Environment After working as a consultant for several years, I sometimes think back to my days as a SCADA security analyst for an oil and gas company.  If I knew then what I know now, how would I have done things differently? If I were responsible for keeping an oil and gas company’s assets, processes, and people safe from cyber[...]

Data Security, APT Activity, and Inherited Risk for ICS

Data Security, APT Activity, and Inherited Risk for ICS

In traditional IT security, there is heavy focus on data — data security, data breaches, data loss. It has often been said “it’s all about the data.” This generally isn’t the case for Industrial Control Systems (ICS). There are a few exceptions, but you will often hear discussion about the C-I-A triad for ICS where ‘C” (confidentiality) takes a lower priority position behind Availability and[...]

Three Reasons to Add a Discovery Phase to Your Next OT Security Assessment

Three Reasons to Add a Discovery Phase to Your Next OT Security Assessment

Many of us have accepted that having a 100% accurate inventory of “all the things” (networks, assets, data flows, etc.) is a pipe dream. To put it in NIST CSF terms, if you wait until you master the IDENTIFY function before you do anything in the remaining functions (PROTECT, DETECT, RESPOND, RECOVER), you will likely fail at securing even the most basic environments. So, the condition that[...]

ICS Cybersecurity: 3 Reasons Why Periodic Technical Assessment (Still) Matters

ICS Cybersecurity: 3 Reasons Why Periodic Technical Assessment (Still) Matters

“Our SCADA communications use AES256 and are 100% secure so we don’t worry too much about security.” That’s a real quote from a real Industrial Control System (ICS) manager from this decade. A technical assessment of that system proved otherwise—there were in fact real cybersecurity vulnerabilities that required immediate and long-term remediation.