Friday, November 8, 2019

Francois Lemay’s remarks at GridSecCon




I’ve posted summaries of the remarks of two members of the panel that I moderated at GridSecCon (here and here), as well as my own. The last summary (since two of the panels didn’t send me their remarks, which is fine – it was just a suggestion I made to them) is from Fancois Lemay, Cyber Security Specialist with Hydro Quebec. His comments are very succinct but obviously well thought out and definitely worth reading!


The Gordian Knot
An old Greek legend where "several knots are so tightly entangled that it's impossible to see how they were fastened.
  
The Supply chain Gordian Knot (supply chain web)
Our industry, the most critical of critical infrastructure, is currently having a data revolution where IT and OT converge, and our networks are more and more exposed to threats

Our supply chain got so entangled and complex in our critical infrastructures that we don't know any more what technologies are really deployed ?

Take security in our own hands
·        Our industry has technology that we cannot patch, and old products for which suppliers will not offer any support.
·        We still find equipment with backdoors, hardcoded passwords and multiple exploitable vulnerabilities.
·        We have Geopolitical issues with suppliers (Kaspersky, Huawei).
·        Sometime, our suppliers get breached (waterhole) and they don't know - or they know, but they’re a lot more concerned with managing their reputation than taking care of their clients.

We need to have the means to take security in our own hands, with:

·        CIP-013
·        Cybersecurity contractual clauses
·        Software and hardware Integrity
·        Cybersecurity Certification program (CyberSecure Canada, UK Cyber Essentials)
·        Vulnerability assessment tools
·        Political and reputational decisions to make
·        Government certification for critical systems and assets


Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.


No comments:

Post a Comment