I’ve posted
summaries of the remarks of two members of the panel that I moderated at
GridSecCon (here
and here),
as well as my
own. The last summary (since two of the panels didn’t send me their
remarks, which is fine – it was just a suggestion I made to them) is from
Fancois Lemay, Cyber Security Specialist with Hydro Quebec. His comments are
very succinct but obviously well thought out and definitely worth reading!
The
Gordian Knot
An old Greek
legend where "several knots are so tightly entangled that
it's impossible to see how they were fastened.
The
Supply chain Gordian Knot (supply chain web)
Our
industry, the most critical of critical infrastructure, is
currently having a data revolution where IT and OT converge,
and our networks are more and more exposed to threats
Our supply
chain got so entangled and complex in our critical
infrastructures that we don't know any more what technologies
are really deployed ?
Take
security in our own hands
· Our
industry has technology that we cannot patch, and old products for
which suppliers will not offer any support.
· We
still find equipment with backdoors, hardcoded passwords and
multiple exploitable vulnerabilities.
· We
have Geopolitical issues with suppliers (Kaspersky, Huawei).
· Sometime,
our suppliers get breached (waterhole) and they don't know - or they know, but they’re a lot more
concerned with managing their reputation than taking
care of their clients.
We need
to have the means to take security in our own hands, with:
· CIP-013
· Cybersecurity contractual clauses
· Software
and hardware Integrity
· Cybersecurity Certification program (CyberSecure Canada,
UK Cyber Essentials)
· Vulnerability assessment tools
· Political and
reputational decisions to make
· Government certification for
critical systems and assets
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, remains open to
NERC entities and vendors of hardware or software components for BES Cyber
Systems. To discuss this, you can email me at the same address.
No comments:
Post a Comment