OT Cyber Security Risk

The objective of this website is to share experience on securing industrial control systems (ICS) and trigger discussions where appropriate. The content of this site will contain information on typical ICS security topics based upon my experience working 40+ years with control systems, as field service engineer, system programmer, process engineer, and 20+ years in cyber security.

I don’t want this web site and its blogs to be another story on the vulnerabilities of ICS equipment. I like to discuss the cyber security topics from the angle of what are the cyber security hazards these vulnerabilities cause, what are the potential consequences, and what can we do to reduce the risk. This requires a more detailed look at how ICS are built, which sub-systems are part of it, and how are they used within the production process, and sometimes we have to make the step into the production process itself.

My objective is to do this from a cyber security risk based perspective. What are the cyber security hazards, what is the associated risk, and what are the options to mitigate this risk. If I say risk I mean quantitative risk, not generic risk or qualitative risk. I model the ICS and estimate a threat frequency or conditional probability to arrive at a likelihood. I am not a process engineer but spend the first half of my career (20 years) writing and configuring software for implementing control strategies, so learning on the job from some very experienced process engineers. The second half of my 40+ year spanning career I worked on securing the industrial control systems. Initially I worked at a very detailed level as a technical security consultant, in recent years this evolved into approaching OT security from a risk management perspective giving the production process a central position, analyzing OT automation risk, and comparing this with a plant’s risk assessment criteria. As such over a hundred HAZOP and LOPA studies past my desk, I conducted workshops with many process safety and plant operation’s subject matter experts providing me a very detailed view in many different production processes and their cyber risk.

Combining this with my knowledge of manufacturing process automation solutions build up by working for over 40 years for one of the major suppliers of these systems, and during this time also for many asset owners automating their manufacturing process, I got a unique opportunity for mixing my knowledge of process engineering, process automation, risk analysis and cybersecurity in a blend I call OT cybersecurity.

The OT cyber security evolution as I have seen it evolve

My blogs


The cyber security skills gap

Intelligent Field Device (IFD) security.

Bolster your defenses.

Inherent more secure design.

OT security engineering principles

OT security risk and loss prevention in industrial installations


Process safety risk, cyber security risk and societal risk

ICS cyber security risk criteria

Why process safety risk and cyber security risk differ

Cyber risk assessment is an exact business

The role of detection controls and a SOC


Identifying risk in cyber physical systems

ISA 62443-3-2 an unfettered opinion

Playing chess on an ICS board

A wake-up call

Dare for More, featuring the ICS kill-chain and a steel mill

Letting a goat into the garden

The classic ICS perimeter

Power transformers and Aurora

Consequence with capital C

OT cyber security risk

Remote access

Are power transformers hackable?

The Purdue reference model, outdated or up-to-date?

TRISIS revisited

How does advisory ICSA-20-133-02 impact sensor security?

Are sensors secure, is life an unhealthy affair?

Cyber security in real-time systems

Interfaced or integrated?

Cyber security and process safety, how do they converge?

This is a non-commercial web site with a vendor neutral focus on the security of automation systems. I mention specifically vendor neutral because I am employed by a large company that also has business units providing ICS solutions. Though I am not employed by that business unit and work for an OT cyber security team that provides vendor neutral services, sometimes people refer to what my employer might think of my opinion. Therefore I want explicitly state that this web site and its blog content are representing my own personal view on OT security and the world in general. There is no relationship between my opinions and publications and the views of my employer in whatever capacity.

Sinclair Koelemij

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *