El Diario del CISO El Diario del CISO (The CISO Journal) Edición 24 | Page 4

Influencers Isiah Jones MPS, CISSP, GICSP, C|CISO, VP, Global ICS Security Service Delivery SECURITY PRACTICES FOR IEC 61131-3 PLC PROGRAMMING LANGUAGES PART 3: FBD Within the industrial control systems (ICS), automation, operational technology (OT), cyber-physical systems (CPS), industrial internet of things (IIoT) and instrumentation communities many of the devices with some form of computing and logical capabilities rely on 5 primary programming languages specific to programmable logic controllers (PLCs) that are defined in IEC 61131-3 as Sequential Function Chart (SFC), Ladder Diagram aka Ladder Logic (LD), Function Block Diagram (FBD), Instruction List (IL) and Structure Text (ST). In the IT community OWASP, NIST, SANS, CMMI, ISC2 and EC-Council, among others, have already created secure coding and secure development guidelines, best practices, testing tools and tips for higher level languages such as C, C++, Java, Python, JSON, HTML, XML, SQL and others. Some could argue that Structure Text includes several of these high-level languages. However, there has not been much focus by international standards organizations or industry experts on implementing security within the other 4 primary PLC focused languages in ICS. As a result, we wanted to share some of our recommendations for each of the IEC 61131-3 PLC languages in a 5-part blog series and aggregated white paper. In part 1 of our series we focused on Sequential Function Chart (SFC) and in part 2 we focused on Ladder Diagram or Ladder Logic (LD). Here in part 3 we will focus on Function Block Diagram (FBD). The complete article is here Caitlin Durkovich Futurist and infrastructure security expert Security by Design: Creating the Critical Infrastructure of the Future We are regularly asked about the biggest risks to critical infrastructure. Recent news headlines blare concern about Russians infiltrating US utility control rooms, child hackers laying waste to voting machines, bridge collapses that serve as a reminder to crumbling infrastructure worldwide, and extreme weather that is exacerbating a taxed, highly interdependent and increasingly fragile infrastructure ecosystem. I subscribe to the 2013 National Infrastructure Protection Plan’s characterization of risk, which refers to the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood [a function of threats and vulnerabilities] and the associated consequences.” I also subscribe to the notion that security and resilience are strengthened through risk management. The complete article is here Paul Stewart Security Tester at 'Confidential' What you really need for Pentesting I've been a pentester for about a year and a half now. Been very quiet lately, since my last post about OSCP, but at that time it was all I knew. PWK/OSCP was my life, and I gave up a lot to do it. Working as a pentester is a very different thing to training to be one. I wanted to shed a little light on what you really need to be a competent pentester. Networking A wise man once said to me "Doing the test isn't the issue, getting to the thing you need to test is". The complete article is here