El Diario del CISO El Diario del CISO (The CISO Journal) Edición 24 | Page 4

Influencers
Isiah Jones
MPS, CISSP, GICSP, C|CISO, VP, Global ICS Security Service Delivery
SECURITY PRACTICES FOR IEC 61131-3 PLC PROGRAMMING
LANGUAGES PART 3: FBD
Within the industrial control systems (ICS), automation, operational
technology (OT), cyber-physical systems (CPS), industrial internet of
things (IIoT) and instrumentation communities many of the devices
with some form of computing and logical capabilities rely on 5
primary programming languages specific to programmable logic
controllers (PLCs) that are defined in IEC 61131-3 as Sequential
Function Chart (SFC), Ladder Diagram aka Ladder Logic (LD),
Function Block Diagram (FBD), Instruction List (IL) and Structure
Text (ST). In the IT community OWASP, NIST, SANS, CMMI, ISC2
and EC-Council, among others, have already created secure coding
and secure development guidelines, best practices, testing tools and
tips for higher level languages such as C, C++, Java, Python, JSON,
HTML, XML, SQL and others. Some could argue that Structure Text
includes several of these high-level languages. However, there has
not been much focus by international standards organizations or
industry experts on implementing security within the other 4 primary
PLC focused languages in ICS. As a result, we wanted to share
some of our recommendations for each of the IEC 61131-3 PLC
languages in a 5-part blog series and aggregated white paper. In
part 1 of our series we focused on Sequential Function Chart (SFC)
and in part 2 we focused on Ladder Diagram or Ladder Logic (LD).
Here in part 3 we will focus on Function Block Diagram (FBD).
The complete article is here
Caitlin Durkovich
Futurist and infrastructure security expert
Security by Design: Creating the Critical Infrastructure of the
Future
We are regularly asked about the biggest risks to critical
infrastructure. Recent news headlines blare concern about Russians
infiltrating US utility control rooms, child hackers laying waste to
voting machines, bridge collapses that serve as a reminder to
crumbling infrastructure worldwide, and extreme weather that is
exacerbating a taxed, highly interdependent and increasingly fragile
infrastructure ecosystem.
I subscribe to the 2013 National Infrastructure Protection Plan’s
characterization of risk, which refers to the “potential for an unwanted
outcome resulting from an incident, event, or occurrence, as
determined by its likelihood [a function of threats and vulnerabilities]
and the associated consequences.” I also subscribe to the notion
that security and resilience are strengthened through risk
management.
The complete article is here
Paul Stewart
Security Tester at 'Confidential'
What you really need for Pentesting
I've been a pentester for about a year and a half now. Been very
quiet lately, since my last post about OSCP, but at that time it was all
I knew. PWK/OSCP was my life, and I gave up a lot to do it. Working
as a pentester is a very different thing to training to be one. I wanted
to shed a little light on what you really need to be a competent
pentester.
Networking
A wise man once said to me "Doing the test isn't the issue, getting to
the thing you need to test is".
The complete article is here