Having dusted-off an old security awareness module on SCADA/ICS, we reviewed it to see what needed updating for May. It soon became clear that things have changed significantly in this area in the past seven years, hence we ended up re-scoping and re-writing the entire module. This time around we’ve broadened our perspective to cover all sorts of industrial IT systems and networks (including but going well beyond SCADA/ICS ) and picked up on the issues relating to protecting  critical national and corporate infrastructures . There are important lessons to be learned from industrial incidents such as Fukushima, including the cascading failures that turned a Japanese disaster in 2011 into a global incident lasting much longer. [I’m currently enjoying “ The Power of Resilience: How the Best Companies Manage the Unexpected ”, a fascinating book by Yossi Sheffi that uses the Sendai tsunami and other examples to illustrate business supply chain resilience.  Recommended reading.] We ...

The Australian government's new 67-page cyber security strategy sets out to address "the dual challenges of the digital age—advancing and protecting [Australia's] interests online". Its incomplete and arguably half-baked definitions of a few cyber terms, along with the thrust of the entire strategy and a lot of the rhetoric, indicates that the Australian government considers Australia to be under attack from [foreign] actors i.e. competent and scary [foreign] adversaries intent on causing grave economic and social damage on a national scale to Australia through the Internet [specifically]. Despite the earlier mention of advancing Australia's interests in a positive sense, the strategy is overwhelmingly defensive/protective in nature, the main thrusts being: Dispensing advice on "cybersecurity", which appears to mean either old-fashioned IT/network/data security or new-fangled Internet/online security. Either way, it's evidently not information risk...

Thanks to a tip-off from a colleague on CISSPforum, I've been reading advice just published by CESG (one of several spooky UK government outfits) concerning fixed password lifetimes. In short, the official advice is to make passwords eternal i.e. non-expiring.  Encourage and make it easy for users to change their passwords if they feel their current passwords are weak or may have been compromised ( e.g. shared, guessed, stolen in transit or hacked from storage) but don't force them to change their passwords simply because "it's time". "It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis." Having long advised clients against enforced password lifetimes, I challenge the assertion that it is perfectly sensibl...