
OT Cyber Security Risk
The objective of this website is to share experience on securing industrial control systems (ICS) and trigger discussions where appropriate. The content of this site will contain information on typical ICS security topics based upon my experience working 40+ years with control systems, as field service engineer, system programmer, process engineer, and 20+ years in cyber security.
I don’t want this web site and its blogs to be another story on the vulnerabilities of ICS equipment. I like to discuss the cyber security topics from the angle of what are the cyber security hazards these vulnerabilities cause, what are the potential consequences, and what can we do to reduce the risk. This requires a more detailed look at how ICS are built, which sub-systems are part of it, and how are they used within the production process, and sometimes we have to make the step into the production process itself.
My objective is to do this from a cyber security risk based perspective. What are the cyber security hazards, what is the associated risk, and what are the options to mitigate this risk. If I say risk I mean quantitative risk, not generic risk or qualitative risk. I model the ICS and estimate a threat frequency or conditional probability to arrive at a likelihood. I am not a process engineer but spend the first half of my career (20 years) writing and configuring software for implementing control strategies, so learning on the job from some very experienced process engineers. The second half of my 40+ year spanning career I worked on securing the industrial control systems. Initially I worked at a very detailed level as a technical security consultant, in recent years this evolved into approaching OT security from a risk management perspective giving the production process a central position, analyzing OT automation risk, and comparing this with a plant’s risk assessment criteria. As such over a hundred HAZOP and LOPA studies past my desk, I conducted workshops with many process safety and plant operation’s subject matter experts providing me a very detailed view in many different production processes and their cyber risk.
Combining this with my knowledge of manufacturing process automation solutions build up by working for over 40 years for one of the major suppliers of these systems, and during this time also for many asset owners automating their manufacturing process, I got a unique opportunity for mixing my knowledge of process engineering, process automation, risk analysis and cybersecurity in a blend I call OT cybersecurity.
My blogs
2022
Intelligent Field Device (IFD) security.
OT security engineering principles
OT security risk and loss prevention in industrial installations
2021
Process safety risk, cyber security risk and societal risk
ICS cyber security risk criteria
Why process safety risk and cyber security risk differ
Cyber risk assessment is an exact business
The role of detection controls and a SOC
2020
Identifying risk in cyber physical systems
ISA 62443-3-2 an unfettered opinion
Dare for More, featuring the ICS kill-chain and a steel mill
Letting a goat into the garden
Are power transformers hackable?
The Purdue reference model, outdated or up-to-date?
How does advisory ICSA-20-133-02 impact sensor security?
Are sensors secure, is life an unhealthy affair?
Cyber security in real-time systems
Cyber security and process safety, how do they converge?
This is a non-commercial web site with a vendor neutral focus on the security of automation systems. I mention specifically vendor neutral because I am employed by a large company that also has business units providing ICS solutions. Though I am not employed by that business unit and work for an OT cyber security team that provides vendor neutral services, sometimes people refer to what my employer might think of my opinion. Therefore I want explicitly state that this web site and its blog content are representing my own personal view on OT security and the world in general. There is no relationship between my opinions and publications and the views of my employer in whatever capacity.
Sinclair Koelemij