Blake Sobczak, a reporter for Energy & Environment News, has been on fire lately with his coverage of electric sector cybersecurity. It seems like I'm consistently retweeting his stories and putting them into my Friday News & Notes email (are you subscribed?). So I brought him on the podcast to talk about it.

To me the most interesting discussion starting at 34:55 about decisions to cover stories that are promoted by ICS security vendors.

Andy Bochman with INL joins me to discuss their Consequence-Driven, Cyber-Informed Engineering methodology (CCE). It is appealing because it places emphasis on the often neglected consequence part of the risk equation.

I think you'll hear me struggling to make sense of some of the concepts in the CCE and questioning a number of the underlying precepts and value of the approach. One of the reasons is there is limited info out on what CCE is, and this podcast should clarify CCE to some degree.

Michael Assante is my guest for this episode. He has a storied career and recently won the RSA Conference Award for Excellence in Information Security. Mike was the VP/CSO of NERC, active at INL in the Aurora demonstration, led the development and implementation of the SANS ICS Security Training program, and even began working as CSO for an electric utility. We talk about driving change, what regulation would work, the lessons learned and failures of Aurora and much more.

The buzzwords "cyber hygiene" is being said and written by many of the guru's in the ICS security community. It's hard to argue that basic hygiene is bad, but what is and isn't cyber hygiene?

I talked with Marty Edwards of the Automation Federation and Michael Toecker of Context Industrial Security. Is applying security patches cyber hygiene? Is there a difference between cyber hygiene and cyber maintenance. Amazingly. we all ended up changing our viewpoint and reached a basic agreement.

In the last two months Bryan Owen attended the SANS ICS Security Summit, DHS ICSJWG, RSA, OSIsoft's PI World, and LOGIIC (Oil/Gas/Gov consortium). Since most listeners like me aren't able to attend these events I thought we could find out what's happening from Bryan.

I interviewed Kelly Jackson Higgins of Dark Reading and JIm Finkle of Reuters on the S4x18 Main Stage. They are both experienced reporters and covered the ICSsec beat for years. We got right into it with "are you traffickers in FUD" and "how do you deal with the vuln as a marketing strategy trend" and much more.

Jake Brodsky, Joel Langill and Dale Peterson on the S4x18 Main Stage.

Nassim Taleb discusses the concept of Iatrogenics in his book Antifragile. It is commonly applied to medicine, but Taleb applies it to the financial market and proposes it could be applied to other areas. We had a panel at S4x18 that dug into the issue of how to determine when security controls are doing more harm than good.

This was a great debate from S4x18. Many owner / operators have an Enterprise Secure Operations Center (SOC), and they are considering how best to handle OT incident detection and response. There are two main approaches:

1. Add OT data and incident response capabilities to an Enterprise SOC or

2. Set up and run a SOC dedicated to the OT environment

Dan Scali of FireEye took the Enterprise SOC side and debated with Rob Lee of Dragos, who argued the OT SOC side.

Dale Peterson interviews the ICS Detection Challenge Winner - Claroty and the runners up - Nozomi and Security Matters. They discuss where the competitors did well, how the products are likely to improve in the future, and what the future direction of the ICS product detection category is likely to be.

The ICS Detection Challenge at S4x18 last January pitted Claroty, Gravwell, Nozomi and Security Matters in a competition to determine who could create the most complete asset inventory and who could do the best job detecting attacks through passive ICS network monitoring only. 

Dale Peterson and Eric Byres discuss the packets used in the test and analyze the results. What this product category can and cannot do. The last 15 minutes talking about the future of the ICS Detection product category.