“Securing Operational Technology: A Deep Dive into the Water Sector”

https://www.congress.gov/event/118th-congress/house-event/116802?s=1&r=31

I know some of these witnesses personally. I know the subject matter extensively.

For this post I will assume you have watched the hearing, also please see the recent post about China and U.S. Infrastructure.

Also note this is some what a stream of consciousness as I listened.

The first question sets the tone, Quantum computing and FUD! Mr. Lee is correct that 1) we are not going back to manual systems 2) the current ICS/OT systems are already vulnerable 3) defense is possible.

Safety systems and “managing for the consequence” is a key point! If you want an offline system it should be a safety system!

Government is not the F***ing answer!

It is important to note that of the 16 Critical infrastructure sectors Water is one of the least mature and funded.

Attribution is largely bunk! Attribution is very hard to do especially in light of Wikileaks vault 7.

NERC or NERC lite is not the answer, I will admit that NERC-CIP has moved the industry, but that was from zero and we are not there today.

If you accept the premise that Risk = Likelihood x Impact, and that the impact of loss of life or capacity are unacceptable then almost all OT risk trend to the extreme.

OK, so what is really needed for ICS/OT cybersecurity to solve the issue. A market and risk driven model. Legislation will not help, just enrich the companies who have the best lobbyists. The ugly truth is that most infrastructure is not secured. The basic blocking and tackling steps are not in place. Defense in depth, good architecture, and vigilance are the building blocks to solve this issue (IMO). Most CISOs I know want to spend their budget on tools, and I see this as a mistake. If you do not have the people or program in place to use them effectively tools will not protect you. There is way too much shelf-ware in the industry.

NVG10 – Digital Night Vision

OK, So awhile back Gene told me about this little device (we talked about it on the show). First, if you have the money don’t get this and just get a good PVS-14. This is NOT a replacement. That said I’m cheep, and wanted something I can put in my truck and not worry about it (damage, theft, and to use).

Also let me issue a disclaimer that I did work with the Guys over at Good Nite Gear and they were nice enough to give me a promo code (NVG-10: Coupon Code dudenamedben 10% off).

First thoughts: not bad. OK so the NVG10 is Chinese and digital. It is not a replacement for analog night vision. It has a good feel, and is rated to be IP66 (we will see if this is true).

The first NVG10 I received had… issues… granted it was an open box item. That said the guys over at Good Nite Gear where helpful in getting a working device. I will say that you can get the NVG10 a little cheaper on Amazon, but the support from GNG and the fact that I’m not supporting Amazon all the better.

This is the best digital night vision I have seen, I grant you that I have not used the $1000+ models. For me if I’m going to spend that much money I am getting an analog gen 2+ or used.

I liked it enough to have one for my truck and have my Dad get one to fight the beavers on his property.

As I get more time on this NVG I will update this post!

After playing with the NVG10 there are some settings you need to know to use it effectively

1) IR: Press and hold the right arrow button until the display changes to show “IR on” this will disable the IR illumination until you tap the right arrow again then it will show “IR1” if tapped again it will cycle through “IR2” and “IR3”.

2) Display brightness: Press and hold the left button until the Menu is displayed use the Arrow buttons to select “Brightness” this will allow you to then select the brightness of the display (default is 5) use the lowest setting that given the light conditions is appropriate. The “Auto” setting is too bright for me but may work for you.

3) green: tap the right arrow to switch between green and white display

4) zoom: tapping the let arrow should zoom the display ( I am telling you this so if it happens accidentally you know how to change it)

My NVG setup (more accessories coming including some from Aliexpress that I will also review)

China and U.S. Infrastructure

https://www.nbcnews.com/tech/security/chinese-hackers-cisa-cyber-5-years-us-infrastructure-attack-rcna137706

SUMMARY
The Cybersecurity and Infrastructure Security
Agency (CISA), National Security Agency (NSA),
and Federal Bureau of Investigation (FBI) assess
that People’s Republic of China (PRC) state-
sponsored cyber actors are seeking to pre-
position themselves on IT networks for disruptive
or destructive cyberattacks against U.S. critical
infrastructure in the event of a major crisis or
conflict with the United States.” (Full PDF below)

https://s3.documentcloud.org/documents/24412395/aa24-038a-csa-prc-state-sponsored-actors-compromise-us-critical-infrastructure.pdf

Needless to say this is part of my day job, and this is my opinion as an ICS cybersecurity expert. While I will say that there are most centrally threats to US industry, most come from incidental contact with IT based threats: not from nation states. What I mean by this, if you are a CISO, the risk of non targeted ransomware is a more real and quantifiable risk.

I do not mean to say that nation states are not a real threat. If a war (beyond that of a proxy fight) kicks off then there is no doubt that cyber attacks will be part of that.

China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”

FBI Director Christopher Wray

Mask Holes Win

https://abcnews.go.com/Health/wireStory/wearing-mask-covid-19-health-emergency-isnt-free-106996447

“A question shadowing suits such as these is whether there is a First Amendment right to refuse to wear a protective mask as required by valid health and safety orders put in place during a recognized public health emergency. Like all courts to address this issue, we conclude there is not,”

“Skeptics are free to — and did — voice their opposition through multiple means, but disobeying a masking requirement is not one of them. One could not, for example, refuse to pay taxes to express the belief that ‘taxes are theft.’ Nor could one refuse to wear a motorcycle helmet as a symbolic protest against a state law requiring them.”

The 3rd Circuit Court of Appeals

First let me say that when the pandemic first started and little was known about the virus. I gave my family N95 masks that I had for other uses. however, it became clear to me early on that the size of the virus meant that even the N95 was not going to be very useful.

We live in a free society or we do not. This ruling and other moves by the government are at their basis tyrannical. I did not wear a mask for COVID and I will not. Not for my job, not because a government tells me to. I will not comply with any mandate, I will do what I believe will protect myself and my family. I take responsibility for my actions and understand the risks I am willing to take.

The high risk of bias in the trials, variation in outcome measurement, and relatively low adherence with the interventions during the studies hampers drawing firm conclusions. There were additional RCTs during the pandemic related to physical interventions but a relative paucity given the importance of the question of masking and its relative effectiveness and the concomitant measures of mask adherence which would be highly relevant to the measurement of effectiveness, especially in the elderly and in young children.

There is uncertainty about the effects of face masks. The low to moderate certainty of evidence means our confidence in the effect estimate is limited, and that the true effect may be different from the observed estimate of the effect. The pooled results of RCTs did not show a clear reduction in respiratory viral infection with the use of medical/surgical masks. There were no clear differences between the use of medical/surgical masks compared with N95/P2 respirators in healthcare workers when used in routine care to reduce respiratory viral infection. Hand hygiene is likely to modestly reduce the burden of respiratory illness, and although this effect was also present when ILI and laboratory‐confirmed influenza were analysed separately, it was not found to be a significant difference for the latter two outcomes. Harms associated with physical interventions were under‐investigated.

There is a need for large, well‐designed RCTs addressing the effectiveness of many of these interventions in multiple settings and populations, as well as the impact of adherence on effectiveness, especially in those most at risk of ARIs. 

https://www.cochranelibrary.com/cdsr/doi/10.1002/14651858.CD006207.pub6/full

This was a bad challenge, that said, the ruling is wrong. It is wrong for one major reason. There is NO evidence that masks (even N95s) are effective against COVID-19. In FACT there is quite a bit of evidence that they do not work, especially when not worn correctly or when reused as almost everyone did, removes any logic from the argument. This ruling suggests that the government can force you to wear a hat or other fashion accessory without evidence of its ability to protect you or others. The fact that the Appeals court used a motorcycle helmet as an example is on its face an absurdity. I have the right to endanger myself, I am free and own my own body! Even if you believe (falsely) that forcing me to wear a mask will some how protect you from me, that does NOT give you a right to force it upon me.

“I prefer dangerous freedom over peaceful slavery”

Thomas Jefferson

National Grid Drops China

https://www.msn.com/en-gb/news/world/britain-s-national-grid-drops-china-based-supplier-over-cyber-security-fears-ft/ar-AA1lCEVS

Just a quick note on this story. I am happy that they are making this move, but having worked with them in the past they have major cultural issues to over come as well. They are using good tools to secure their networks, but tools aren’t the end all be all. Tools augment the human element, with out the human talent you can not be secure!

China vs NS Savannah

https://www.eurasiantimes.com/largest-nuclear-container-ship-design-breaks-cover-at-chinas/?amp

https://en.wikipedia.org/wiki/NS_Savannah

The US had a nuclear powered cargo ship in the 1950s the NS Savannah. Operation costs as well as non proliferation concerns ultimately was its down fall. It is clear that the CCP does not share in these concerns. The US has and has had the technology to compete the question is one of will. Will the US in light of China start to see its own nuclear merchant fleet? The American Bureau of Shipping (eagle.org) https://ww2.eagle.org/en/innovation-and-technology/technology-advancements/nuclear-energy.html has plans if the regulators will allow it.

https://www.nationalgeographic.com/history/article/nuclear-ship-savannah-atoms-for-peace