Unsolicited Response Podcast

In this episode of the Unsolicited Response Podcast I interview Megan Samford and Rick Cherney of Rockwell Automation. We cover two main topics. First, we discuss how they are dealing with vulnerabilities reported to them by researchers and other means. We focus on how this has progressed over the years as well as how vendors could provide more useful vulnerability and remediation information to their customers. Second we disc... Read more

Forescout's acquisition of SecurityMatters for $113M in cash was the first major exit from the OT Detection Space (or broader passive monitoring market as you will hear in the podcast). I spoke with Brian Proctor about a number of issues including: What it was like moving from an asset owner to a vendor The best way for an asset owner to recruit or develop ICS security talent in this high demand environment His thoughts on the ... Read more

In this episode, I interview Jonathan Homer, the Chief of the Industrial Control Systems Group / Hunt and Incident Response Team at DHS. We discuss: What changes will asset owners see with the creation of CISA organization in DHS? A detailed discussion of the metrics DHS will use to determine if they are successful / having an impact? Why or if DHS is competing with industry in many of their ICS security services. The CISA St... Read more

The ICS Detection Market has achieved almost all of the funding and attention the last two years, including my analysis. Last month Bayshore Networks announced and got some attention with their new SCADAFuse “inline protection tool for industrial networks”. It sounded a lot like the Tofino of 5+ years ago, so I decided to get the creator of the industrial firewall / gateway market, Eric Byres, on the podcast to help me analyze this... Read more

This recording is from a panel discussion on understanding and reducing the consequence side of the risk equation (risk = consequence * likelihood). Joining me in this discussion are: John Cusimano of aeSolutions and their CyberPHA Andy Bochman of INL and their Consequence Driven Cyber Informed Engineering (CCE) The two gentleman begin by explaining their respective consequence based risk assessment and risk management, and... Read more

In a recent article a researcher proclaimed it's "not hard for a hacker to capsize a ship at sea". This was quickly followed by the Viking Sky cruise ship having its engines shut off due to a sensor reading. Not knowing much about maritime control systems I brought two experts from Moran Cyber on the podcast to discuss the issue: Captain Alex Soukhanov (a Master Mariner and Director at Moran Cyber) and Greg Villano (Senior Marit... Read more

I went back to the RSA Conference for the first time in over a decade. Here is my 25-minute report on the event for those considering attending or participating in the future. Includes: the first RSA Conferences and when cybersecurity first looked like a real market tips on working the massive RSA Expo Floor interview with Thomas Van Norman on the ICS Village at RSA should an ICS security vendor exhibit at RSA the value of side ev... Read more

I interviewed Robert Graham on the S4x19 Main Stage. Robert has an illustrious career in cyber security products including the creator of BlackIce and the first network IPS. We brought him to the S4 Stage for his contrarian views. Some of the topics we discussed in the podcast: The downside to IoT regulation and virtue signaling Likely threat agents, broad not specific targets and the birthday paradox Does Rob expect another Stuxn... Read more

This episode of the Unsolicited Response Podcast features a discussion on the S4x19 Main Stage with Brad Hegrat, Joel Langill and Dale Peterson. The question: Is the Purdue Model Dead? The three coalesced around an answer (unexpected). And it's not dead, but also not terribly useful going forward in helping with OT network architecture. Have a listen, maybe you will get a different takeaway. Links S4 Events YouTube Channel Dale's... Read more

The first Unsolicited Response episode of 2019 is a shorter solo-sode. It begins with my four major takeaways from 2018 Finally figuring out the OT / IT issue Consequence based risk reduction Detection market acceleration and shake out The ICS bane called Cyber Hygiene And then at 10:20 in the podcast I've included my S4x19 minute mini-keynote Create The Future, with a bit of help from Patrick Miller, Eireann Leverett and Rob Lee... Read more

In this Unsolicited Response episode I interview Rob Lee of Dragos and Rob Smith of INL on a Department of Energy funded program called Neighborhood Keeper. The program attempts to provide threat detection and intelligence in an easy and affordable way to small and medium sized asset owners. Originally these are in the Energy sector, given the funding source. While Dragos is providing the technology and service, there are a lot of ... Read more

I’m trying something a bit different in this short 22 minute episode. I rant about two flawed ICS mantras that are gaining traction and detract from useful discussions, and there is an overview of the S4x19 agenda and OnRamp training. 1:47 Mantra: “If you are in critical infrastructure, you will be targeted. If you are targeted, you will be compromised”. Andy Bochman and others at INL. This is pure FUD, and I explain a more reasona... Read more

In this episode I speak with Ralph Langner of Langner Communications about the ICS Product Security Market. Ralph is famous for his work on Stuxnet, and he has done a lot of great work before and after Stuxnet. For the last two years he has set aside his decades of being in the ICS Security Consulting business and focused on developing the product he feels his clients have needed. In this podcast we cover a lot of ground including:... Read more

Blake Sobczak, a reporter for Energy & Environment News, has been on fire lately with his coverage of electric sector cybersecurity. It seems like I'm consistently retweeting his stories and putting them into my Friday News & Notes email (are you subscribed?). So I brought him on the podcast to talk about it. To me the most interesting discussion starting at 34:55 about decisions to cover stories that are promoted by ICS security v... Read more

Andy Bochman with INL joins me to discuss their Consequence-Driven, Cyber-Informed Engineering methodology (CCE). It is appealing because it places emphasis on the often neglected consequence part of the risk equation. I think you'll hear me struggling to make sense of some of the concepts in the CCE and questioning a number of the underlying precepts and value of stages of the methodology. One of the reasons is there is limited in... Read more

Michael Assante is my guest for this episode. He has a storied career and recently won the RSA Conference Award for Excellence in Information Security. Mike was the VP/CSO of NERC CIP, active at INL in the Aurora demonstration, led the development and implementation of the SANS ICS Security Training program, and even began working as CSO for an electric utility. In this episode we discuss: Mike's receiving the RSA award and what th... Read more

The buzzwords "cyber hygiene" is being said and written by many of the guru's in the ICS security community. It's hard to argue that basic hygiene is bad, but what is and isn't cyber hygiene? I recorded a 3-person pod with Marty Edwards of the Automation Federation and Michael Toecker of Context Industrial Security. They were selected because they used the term, and all three of us had different views on what cyber hygiene means an... Read more

In the last two months Bryan Owen attended the SANS ICS Security Summit, DHS ICSJWG, RSA, OSIsoft's PI World, and LOGIIC (Oil/Gas/Gov consortium). Since most listeners like me aren't able to attend these events I thought we could find out what's happening from Bryan. Why Bryan attends events. Is it worthwhile for an ICS security professional to attend RSA? What areas at RSA did he find most valuable? Mike Assante from the ICS worl... Read more

This was a fun panel discussion on the S4x18 Main Stage with Kelly Jackson Higgins of Dark Reading and Jim Finkle of Reuters. We covered a lot of grounds in a frank discussion including: Who is your reader? Are you traffickers in FUD? How long will people click on the vulnerability or exploit of the day in ICS or IIoT? What are your thoughts and response to the ICS vuln as a marketing strategy? How long do you get to spend on a st... Read more