“Securing Operational Technology: A Deep Dive into the Water Sector”


I know some of these witnesses personally. I know the subject matter extensively.

For this post I will assume you have watched the hearing, also please see the recent post about China and U.S. Infrastructure.

Also note this is some what a stream of consciousness as I listened.

The first question sets the tone, Quantum computing and FUD! Mr. Lee is correct that 1) we are not going back to manual systems 2) the current ICS/OT systems are already vulnerable 3) defense is possible.

Safety systems and “managing for the consequence” is a key point! If you want an offline system it should be a safety system!

Government is not the F***ing answer!

It is important to note that of the 16 Critical infrastructure sectors Water is one of the least mature and funded.

Attribution is largely bunk! Attribution is very hard to do especially in light of Wikileaks vault 7.

NERC or NERC lite is not the answer, I will admit that NERC-CIP has moved the industry, but that was from zero and we are not there today.

If you accept the premise that Risk = Likelihood x Impact, and that the impact of loss of life or capacity are unacceptable then almost all OT risk trend to the extreme.

OK, so what is really needed for ICS/OT cybersecurity to solve the issue. A market and risk driven model. Legislation will not help, just enrich the companies who have the best lobbyists. The ugly truth is that most infrastructure is not secured. The basic blocking and tackling steps are not in place. Defense in depth, good architecture, and vigilance are the building blocks to solve this issue (IMO). Most CISOs I know want to spend their budget on tools, and I see this as a mistake. If you do not have the people or program in place to use them effectively tools will not protect you. There is way too much shelf-ware in the industry.

China and U.S. Infrastructure


The Cybersecurity and Infrastructure Security
Agency (CISA), National Security Agency (NSA),
and Federal Bureau of Investigation (FBI) assess
that People’s Republic of China (PRC) state-
sponsored cyber actors are seeking to pre-
position themselves on IT networks for disruptive
or destructive cyberattacks against U.S. critical
infrastructure in the event of a major crisis or
conflict with the United States.” (Full PDF below)


Needless to say this is part of my day job, and this is my opinion as an ICS cybersecurity expert. While I will say that there are most centrally threats to US industry, most come from incidental contact with IT based threats: not from nation states. What I mean by this, if you are a CISO, the risk of non targeted ransomware is a more real and quantifiable risk.

I do not mean to say that nation states are not a real threat. If a war (beyond that of a proxy fight) kicks off then there is no doubt that cyber attacks will be part of that.

China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”

FBI Director Christopher Wray