BLOG

November 23, 2021

Data Privacy, Data Security, Vol. III 2

Browser hardening There are many layers at which you can improve your security and privacy. Apart from the layer of the operating system and its settings, the layer of applications, the next important layer is the browser used. Browsers are a window into the users’ minds and a possible entry into their system (computer). That’s why it is important to take care of the privacy and security settings on the browser used.

Data Privacy, Data Security, Vol. III

16.11.2021

Privacy & Security improvement tips for Windows users (and many others) 1. Password Use a strong password, something easy to remember but difficult to hack. There are a few good concepts around such as to use three random words or a passphrase – such as Edward Snowden’s ‘MargaretThatcheris110%Sexy’. 2. Offline account Use an offline account for Windows rather than using a Microsoft account. 3. Disable public access Disable public access for notifications and voice assistance on your lock screen.

The Top 20 Secure PLC Coding Practices. Part 9 – Validate HMI input variables at the PLC level, not only at HMI

10.11.2021

HMI access to PLC variables can (and should) be restricted to a valid operational value range at the HMI, but further cross-checks in the PLC should be added to prevent, or alert on, values outside of the acceptable ranges which are programmed into the HMI. Security Objective Target Group Integrity of PLC variables Product Supplier Integration / Maintenance Service Provider Guidance Input validation could include out-of-bounds checks for valid operational values as well as valid values in terms of data types that are relative to the process.

Data Privacy, Data Security, Vol. II

08.11.2021

Data security is all the things you do and solutions you implement to protect digital information from unauthorised access, corruption, or theft throughout its entire lifecycle. I am sure the reader is well aware of the various basic data protection tools available starting with backing up the data, through secure passwords, 2FA, patching, before moving on to the more sophisticated level of infrastructure hardening, network segmentation, and the implementation of Zero Trust Architecture and the Principle of Least Privilege and raising staff awareness.

The Top 20 Secure PLC Coding Practices. Part 8 – Validate and alert for paired inputs / outputs

03.11.2021

If you have paired signals, ensure that both signals are not asserted together. Alarm the operator when input / output states occur that are physically not feasible. Consider making paired signals independent or adding delay timers when toggling outputs could be damaging to actuators. Security Objective Target Group Integrity of PLC variables Resilience Product Supplier Integration / Maintenance Service Provider Guidance Paired inputs or outputs are those that physically cannot happen at the same time; they are mutually exclusive.

The Top 20 Secure PLC Coding Practices. Part 7 – Validate timers and counters

28.10.2021

If timers and counters values are written to the PLC program, they should be validated by the PLC for reasonableness and verify backward counts below zero Security Objective Target Group Integrity of PLC variables Integration / Maintenance Service Provider Asset Owner Guidance Timers and counters can technically be preset to any value. Therefore, the valid range to preset a timer or counter needs to/should be restricted to meet the operational requirements.

Small Business Cyber Security Response and Recovery. Part VI – Learn from the incident

26.10.2021

How to prepare for a cyber incident, from response through to recovery Part 6 – Learn from the incident Once the incident has been resolved it is important to review what has happened, learn from any mistakes, and update key information, controls & processes. It is also a good time to strengthen staff awareness through trainings & workshops in order to develop your staff’s security culture. Review actions taken during response Gather and analyse the actions you took while dealing with the incident.

The Top 20 Secure PLC Coding Practices. Part 6 – Use cryptographic and / or checksum integrity checks for PLC code

21.10.2021

Use cryptographic hashes, or checksums if cryptographic hashes are unavailable, to check PLC code integrity and raise an alarm when they change Security Objective Target Group Integrity of PLC Logic Product Supplier Integration / Maintenance Service Provider Asset Owner Guidance A) Checksums Where (cryptographic) hashes are not feasible, checksums may be an option. Some PLCs generate a unique Checksum when code is downloaded into the PLC Hardware. The Checksum should be documented by the manufacturer/integrator after SAT and be part of warranty / service conditions.

Small Business Cyber Security Response and Recovery. Part V – Report the incident to the wider stakeholders

18.10.2021

How to prepare for a cyber incident, from response through to recovery Part 5 – Report the incident to the wider stakeholders After the cyber security incident has been resolved, the next step is to report its particulars to relevant internal and external stakeholders. In helping you with the reporting process answer these key questions: What are our reporting requirements? Each business will have its own reporting procedures outlined in their Incident Response Plan (or at least such plan should have a section dedicated to it) which will detail

The Top 20 Secure PLC Coding Practices. Part 5 – Use PLC flags as integrity checks

13.10.2021

Put counters on PLC error flags to capture any math problems Security Objective Target Group Integrity of PLC Logic Product Supplier Integration / Maintenance Service Provider Guidance If the PLC code was working fine but suddenly does a divide by zero, investigate. If something is communicating peer to peer from another PLC and the function/logic does a divide by zero when it wasn’t expected, investigate. Most programmers will ignore the issue as a math error or worse yet, might presume their code is perfect and let the PLC enter a hard fault state.