Robert Mathews (OSIA): Fwd: Willis Ware Dead ...:
I am not certain how many here are aware of the late Willis Ware. In
case you had followed the life, career and contributions by Ware, you
may be interested to know of his passing. Had intended to post it much,
* Dr. [...]
J.T. Langill: Patching of ICS and SCADA systems: Welcome to the real world of Operational Technology! Patching is never going to be easy, and typically, it offers little real protection because of (1) deals caused by deployment relating to issues relating to impact to critical operations, (2) typically covers less than 40% of the real target assets of an industrial control system architecture, and (3) the lack of consistency between deploying patches from vendor to vendor!
Patching only addresses Risk Reduction through Vulnerability Management, and in my opinion, this is one of the most difficult methods in an operational world. I would prefer to focus on mitigation through Threat and Impact Reduction, and deploy other more reliable (and less impact to operations) controls to manage vulnerabilities.
Spinks, David: Patching of ICS and SCADA systems: ENISA releases recommendations on patching SCADA systems.
Director Operational Risk - HP
At a recent LONDON conference on Cyber Security in the Oil and Gas industry I was astounded at the lack of understanding how to build a real time system where testing of new releases and patches could be undertaken.
The report is also available with other SCADA related white papers on the CSIRS share:
It would be good for those members concerned with the design and operation of SCADA systems to comment on this paper. If necessary you could make me aware of any comments and suggestions on my HP email address:
david.spinks at hp.com
Operational Risk Management
HP Enterprise Services
Work : +44(0)3305874218 (PC Phone)
Mobile : +44(0)7790 495 435
eMail : david.spinks at hp.com
This email contains information which is confidential and may be privileged. Unless you are the intended addressee (or authorised to receive for the addressee) you may not use, forward, copy or disclose to anyone this email or any information contained in this email. If you have received this email in error, please advise the sender by reply email immediately and delete this email.
HP UK Ltd
Registered Office: Cain Road, Bracknell, Berkshire, RG12 1HN
Registered in England no: 53419
VAT number: 432 99 5915
Sorry that I haven't had the chance to respond to this email chain yet. Eric Cosman and a couple of others have made the case for actually using 270xx and 62443. I just wanted to add a little bit of detail about what we are actually doing right now.
Shortly after the first edition of 62443-2-1 was published by IEC,
ISA99 Working Group 2 began rewriting the document as a modification to ISO/IEC 2700x. The first document for comment was submitted in
2012 and we received a large number of comments. Some were related to technical details, but a large number were actually related to the major organizational structure of the document. At that time, we were using the 2005 editions of 27001 and 27002 as the basis for our document and our document was written as a modification to both standards. ISO/IEC 27001 and 27002 have since gone through a major revision and were republished in 2013.
Working Group 2 feels that ISO/IEC 27001:2013 can be used as-is without modification to the requirements. As such, we are removing all of the material that we had modifying 27001 requirements and turning this document into the more common sector-specific modification to 27002. This has been done for a couple industries, including the current 27019 technical report for the electricity sector. Our current plan is to supersede 27019 and publish a full international standard for the industrial automation and control systems sector. We've already made our intention known to ISO/IEC and are working through our liaison with them to develop this standard.
Will it be the perfect solution for everyone? No. Will it cover every case? No. Will it make complete sense to everyone? No.
We are trying to work within the international requirements and rules that we are bound by. We are trying to create an international standard that covers the bulk of things that organizations will have to consider when building a security management system for their industrial control system. By writing it in a way that matches up with ISO/IEC 2700x, we can better work with the structure that many organizations already have for their IT and show where there are similarities and differences.
The -2-1 standard will not be the only document we hope to publish on the subject. We hope to publish a companion technical report (currently planned as -2-2) that incorporates much of the guidance material that we had in the annexes from the first edition of -2-1.
We understand that not everyone will know how to actually build a program based on ISO/IEC 2700x. It's an extremely complex standard to understand and there are a lot of things that seem to relate but are in different parts of the document. We hope to help the reader understand how they would actually build a program use different parts that they may already have in order to manage their security risks better.
The work on this document has been slow and we are always looking for help. If you are passionate about this issue and would like to help out, please feel free to contact Eric Cosman or myself at ISA99chair at gmail.com. We can always use a new perspective on the topic.
On Fri, Nov 15, 2013 at 9:16 AM, Eric Cosman <eric.cosman at gmail.com> wrote:
Senior Investigator, Kenexis Consulting
jim.gilsinn at kenexis.com or jimgilsinn at gmail.com
Twitter - @jimgilsinn
LinkedIn - http://www.linkedin.com/in/jimgilsinn
Old cold warriors like me are not surprised by stories of accidents and incidents involving nuclear weapons but most of my students have no idea what that environment was like. In fact, other than those inducted into the Cult of The Atom, very few people living at the time had any idea of how close we came, on a number of occasions, to accidentally blowing ourselves up (while forgetting about those times we almost did so purposely....).
Recently, several stories about those good 'ol days have resurfaced as a result of newly declassified documents. For example, the news making the rounds today is that the launch code on US weapons was 00000000 for 20 years - sort of like setting "password" as your password, except with a nuke.
This article led, in turn, to some new information on the Goldsboro, North Carolina incident in which, back in 1961, a B-52 broke up in mid air, allowing a couple of 4 megaton M-39 nuclear weapons to fall out of the airplane. One of the bombs fell straight into a muddy field where it disintegrated more or less harmlessly on impact.
The second one, however, deployed its parachute and started going through its arming sequence. Why didn't it blow up? According to Parker Jones, the supervisor of the nuclear weapons safety department at Sandia national laboratories (writing in 1969), "one simple, dynamo technology, low-voltage switch stood between the US and a major catastrophe!"
Curious about how much damage a 4 MT bomb would do? Here is an estimate courtesy of NUKEMAP. It includes both immediate damage and the resulting fallout. http://www.nuclearsecrecy.com/nukemap/?&kt=4000&lat=35.3848841&lng=-77.9927651&airburst=0&hob_ft=0&fallout=1&ff=55&rad_doses=1,10,100,1000&zm=8
What really impressed me, however, was the way the memo was written. There is no tiptoeing around the issue, no spin doctoring. Here is a senior scientist calling the nuclear weapons community out on improving safety. He does it directly, bluntly, and with no attempt to spare the readers' feelings. The Guardian, which published the declassified memo, doesn't allow me to embed the document but it is only 2 pages and worth reading in its entirety.
Keeping focus on improving the CERT community capabilities, ENISA has launched an extension to its training material and activities, offering now 29 different training scenarios on its website as well as conducting on-site trainings.
ENISA has always been promoting the preparedness and capabilities of CERT specialists as a key factor to respond to cyber security incidents in the endless battle against the ever-growing number of threats and vulnerabilities. Continuous training, education and good communication skills are considered among the CERT community as a good practice on of how to keep skills up to date and extend teams' capabilities.
ENISA CERT Exercises and training material was introduced in 2008. In 2012 and 2013 it was complemented with new exercise scenarios, containing essential material for success in the CERT community and in the field of information security.
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!
In light of the impending holiday season, we are taking a moment (or a blog post, as it is) to indulge in quiet reverie for all that is edible and delicious. And yes. You read correctly. SAM is publishing TS material! Don't worry. We aren't Wikileaks. Just humble listmakers bringing you the top ten most unexpected yet necessary ingredients for holiday (and everyday) cooking.
Stone ground mustard
Everyone has that one ingredient; the one thing they add to almost every dish they prepare. Mine is stone ground mustard. Inglehoffer is my brand of choice. Stone ground mustard makes just about anything better, from salad dressing to my heart-attack-Mac (fantastic baked macaroni and cheese recipe below). But mustard's capabilities do not stop there! Who knew there was a chic side to mustard? For an explanation of that statement, see the tarragon and carrot tart recipe.
Honey is the number one ingredient in salad dressing. Homemade salad dressing is one of those things that may seem intimidating, but any person with some olive oil and a spoon should be able to whip up in under 60 seconds. I guarantee that you already have the ingredients at home. See simple salad dressing recipe below.
Nutmeg is not an uncommon ingredient in pie. But it is an uncommon ingredient in fetuccine Alfredo In fact, nutmeg is the top secret ingredient in all those delicious Italian cream sauces we know and love. Whether it's Gruyere, Parmesan, white wine or just plain cream sauce, it isn't complete without a dash of nutmeg. (Homemade Alfredo sauce is another seemingly intimidating recipe that is actually quite easy and perfected in under five minutes; see Alfredo sauce recipe below).
Okay. I know what you're thinking. Vodka is the not-so-top-secret ingredient in martinis. But there is a certain method to the madness of putting vodka in your homemade holiday pie crusts. The vodka gives the crust added moisture; it makes it easier to work with. But alcohol quickly evaporates in the high temperatures of the oven leaving your pie crust alcohol-free.
This trick comes all the way from the ancient Maya. Put chocolate in your chili and chili in your chocolate. Being a history-of-cacao fanatic, ancient cacao remedies can be traced all the way back to before the Spanish conquest. The famous Mexican mole (moh-lay) sauce is based off the timeless mixture of chili and chocolate. Long story short, next time you make a pot of chili, throw in a Hershey bar or some cocoa powder.
This brings me to chili. Not chili the soup, but chili the pepper. Chili powder is the secret to that winter cup of hot cocoa. Some rich chocolate, a cinnamon stick and a dash of chili powder and that is what they call Mexican Hot Chocolate. Beyond hot cocoa, chili is the key ingredient in all things chocolate; sauces, truffles, fudge, etc. The darker the chocolate, the more chili appropriate.
Beyond answering the question, "when is beer not a good addition to food," I make the case that beer has a very special place in two particular culinary endeavors. The first is one I have already mentioned. Chili. The single best thing for a slow-cooking pot of chili is a bottle of beer (I personally like to use an amber). The second suggestion is a bit more surprising. Bread. Yep, there is such a thing as beer bread. The steam smells of hops and it's dense with a slightly sweet finish. The best part (other than the fact that it contains beer) is that it is extremely easy to make. Why? No kneading required. Also, no yeast! The beer contains the yeast the bread needs to rise, so the beer breadrecipe is basically just beer and flour. It is also very flexible. Experiment with different kinds of beer (nothing too hoppy or it doesn't rise well), add herbs (rosemary is great) or add jalapeños for those who like a little spice.
This one might seem obvious, but is worth noting anyway. Cabernet (even cheap Cabernet - any red wine, really) makes a red sauce. It also makes sauteed mushrooms. So it really makes a sauteed mushroom red sauce! Add half a cup of white wine to your cream sauces and half a cup of red to your marinaras just when you turn off the stove about 10 minutes before serving, so the alcohol doesn't completely cook out of the sauce.
Sumac is the most top secret of all the secret ingredients listed in this post. It is so secret, you will never find it in your local grocery store, but it is well worth the hunt. Typical of Turkish or Greek food, it is a staple spice in Middle Eastern cooking, especially Lebanese cuisine. Dark red or dark purple in color, sumac has a dry, tannic almost burnt flavor, pairing well with paprika or cayenne. Use it in a rub for chicken, sprinkled over a simple yogurt or tzatziki sauce or with anything paired with feta cheese for an authentic Mediterranean flavor.
The final secret ingredient is no stranger to the American palette. Cinnamon is quite common, especially sprinkled on top of a cappuccino or mixed in the filling of a warm apple pie. As it turns out, the secret to putting cinnamon in coffee is when you put the cinnamon in the coffee. Just after pouring your fresh grounds into the coffee filter, sprinkle cinnamon over the top before brewing. This will accomplish two things: 1. Give your coffee a subtle yet unmistakable hint of cinnamon and 2. Make your house or apartment smell amazing!
Now, as promised, here are the recipes:
Baked Mac-and-Cheese (Heart-attack-Mac)
1 cup cottage cheese
1/2 cup sour cream
2 cups sharp cheddar cheese (plus 1/2 cup more for topping)
Elbow noodle pasta
1 tablespoon stone ground mustard
Blend cottage cheese, sour cream, mustard and salt together in blender until smooth. Cook pasta and strain. While pasta is still hot, pour cheese mixture over top, adding cheddar cheese and tossing until thoroughly coated. Place mixture in baking pan, top with the extra 1/2 cup of cheddar cheese and black pepper. Bake in oven at 350 for about 20 - 30 minutes, or until edges just start to brown. Remove from oven and let sit for approx. 20 minutes before serving.
Simple Salad Dressing
Mix the following ingredients together in no particular order (can be made in advance):
4 tablespoons extra virgin olive oil (quality olive oil is key)
2 tablespoons balsamic vinegar
The juice from half a lemon
2 teaspoons stone ground mustard
2 teaspoons honey
Fresh ground black pepper
Pinch of salt
2 teaspoons dried thyme
For sweet salads containing spinach, mushrooms, pears, Gorgonzola cheese or walnuts, increase honey and mustard, decrease lemon and vinegar. For tangier salads containing chicken, dried cranberries, green apples, pecans or feta, de-emphasize the honey and mustard.
Homemade Alfredo Sauce
1 cup heavy cream
1 stick unsalted butter, cut into pieces
1 cup finely grated Parmesan cheese
1 teaspoon nutmeg
2 teaspoons paprika or cayenne
2 cloves garlic, minced
5 - 7 large brown mushrooms, sauteed (with Cabernet or sherry)
1/4 cup finely chopped parsley
Freshly ground black pepper
Sautee mushrooms and garlic together. Set aside. Heat cream over medium in saucepan on stove until steaming, but do not bring to a boil. Turn off the heat, but leave the saucepan on the stove. Add butter and stir until melted. Add cheese and stir until melted. Throw in spices, parsley and mushrooms, stir lightly and pour over warm, fresh pasta.
In a world where the majority of analysts are bi- if not multi-lingual, the question of how language affects both the analytic process and analytic product is an important one. Emotion, language processing and cognitive biases aside, the intriguing question remains: Would you make the same decision in English as you would in, say, Chinese? Most analysts would likely answer yes to this question, but recent research led by Boaz Keysar out of the University of Chicago suggests otherwise.
The study, published in Psychological Science, concludes that “people are not as loss averse in a foreign language as they are in their native tongue.” Being less loss averse, that is more willing to take on risk, might sound like a dangerous characteristic to possess from an intel analyst’s perspective. In this case, however, being less risk averse means that people more systematically assessed the problem and came to a more rational conclusion. At the root of this finding is the conclusion that “people rely more on systematic processes…when making decisions in a foreign language.” Regardless of how accepting of risk we are as analysts, the ability to make decisions driven more by rational thought and less by emotion is a capability to which every analyst likely aspires.
In three studies, Keysar showed that while participants made different decisions based on how the problem was framed(as more or less risky), they made the same decision for both risk conditions when using their foreign language. The three groups of participants had English as a first language and Japanese as a second, Korean as a first language and English as a second or English as a first language and French as a second, indicating that this effect is replicable within and across language family boundaries.
So why, then, do we make more rational, less biased decisions in our second language than in our first? It largely has to do with the lack of “emotional resonance” that we derive from foreign language text. Literature on second language acquisition unanimously agrees that people perceive messages delivered in their second language as less emotional (and consequently less impactful) than messages delivered in their first language; this concept applies to everything from political opinion to curse words.
How we perceive emotion then ties directly to our internal cognitive processes. According to Daniel Kahneman, the most widely respected authority on these internal processes, we have two broad systems of thinking – System 1 and System 2 thinking. System 1 is automatic (and often times uncontrollable) while System 2 is more deliberate and rational. Think of System 1 as the mechanism driving impulse buys and split second decisions, whereas System 2 is more like making a grocery list in advance. Cognitive biases, or internal heuristics (shortcuts) that influence both our analytic process and analytic product, originate in System 1 thinking. Examples of cognitive biases particularly relevant to intelligence analysis are confirmation bias, anchoring bias and the framing effect (addressed directly in Keysar’s article).
Cognitive biases originate in System 1 thinking along with our gut instincts, emotional reactions and a less credible substantiation for intelligence analysis, intuition.Consequently, it makes sense to pursue analysis derived from System 2 processes as it will likely be less biased, more rational and more systematically attained. The argument here is that conducting analysis within the domain of a second, third or fourth language will lead to an increased reliance on System 2 processes, thereby reducing bias and ultimately resulting in more systematically-derived analysis. The results of Keysar’s study, while still relatively new, support this perspective.
In practice, with bilingualism now practically a pre-requisite for analysis work, the benefit of this argument to intelligence analysts is obvious (coupled with the other known benefits of bilingualism). The traditional view is that an analyst is at an automatic disadvantage when operating in a non-native linguistic domain to conduct analysis, fearing the loss of meaning and context. The argument in this article, however, sheds new light on the quality of the analytic product obtained in a non-native language. Would you make the same decision in English as you would in, say, Chinese? The answer is that you might not, and your Chinese decision just might be more impartial.
 Keysar, B., & Hayakawa, S.L. (2012). The Foreign-Language Effect: Thinking in a Foreign Tongue Reduces Decision Biases. Psychological Science, 23, 661-668.
Kahneman, D., & Tversky, A. (1979). Prospect theory: An analysis of decision under risk. Econometrica, 47(2), 263-292. The bias phenomenon Keysar’s article claims to neutralize is what Kahneman and Tversky call The Framing Effect, and is one of the many known cognitive biases to affect intelligence analysis.
Emotion and Lying in a Non-Native Language (2009). International Journal of Psychophysiology, 71, 193-204. Puntoni, S., Langhe, B. D., & Van Osselaer, S. M.J. (2009). Bilingualism and the Emotional Intensity of Advertising Language. Journal of Consumer Research, 35(6), 1012-1025.
 Kahneman, D., & Frederick, S. (2002). Representativeness Revisited: Attribute Substitution in Intuitive Judgment. Heuristics and Biases: The Psychology of Intuitive Judgment, 49-81.
Bialystock, E. (2011). Reshaping the mind: The benefits of bilingualism. Canadian journal of experimental psychology, 65(4), 229-235. Though there are many studies that demonstrate the known benefits of bilingualism, this is a recent article that reviews many of these previous articles.