How much does a security control reduce cyber risk? What control or mix of controls provides the most efficient cyber risk reduction? Tough questions that a team of researchers at INL and Sandia tried to answer in a project. Two of the researchers, Jay Johnson of Sandia and Jake Gentle of INL, join Dale on the show to talk about the metrics and results. The project was Cyber Resilience for Wind Installations, but the metrics and results are applicable to every sector. We get into the weeds on this episode and discuss: how they created the test environment the two attack scenarios (and why only two and how easy it would be to expand) the physical resilience score the cyber resilience score the results from four different mixes of security controls areas for further testing and improvement and a tiny bit about trying to calculate an Expected Benefit from Cybersecurity Investment, which is a bit like ROI and how much money to spend. Links • Video: https://www.youtube.com/watch?v=bBLbLUFKzIc • IEEE Access Journal Paper: https://ieeexplore.ieee.org/document/10043706 • POWER magazine article: https://www.powermag.com/cyber-resilience-for-wind-power-installations/ • 2-page flyer: https://www.researchgate.net/publication/367074443_Cyber_Resilience_for_Wind_Installations_A_Cyber_Resilient_Reference_Architecture • Final project report: https://www.researchgate.net/publication/368599508_Hardening_Wind_Energy_Systems_from_Cyber_Threats-Final_Project_Report

Ralph Langner, Megan Samford and Zach Tudor join Dale Peterson on the S4 Main Stage to close out S4x23. This Closing Panel is always an attendee favorite as none of these four are afraid to take a strong and even unconventional stance on at OT security topic or issue.

Dale Peterson interview CESER Director Puesh Kumar on the S4x23 Main Stage. We discuss a number of CESER programs how they are measuring success, what has not worked, why they are doing some things industry is already doing and more. 5:30 Where is the CESER CRISP program (detection and information sharing) today? Has it stopped or reduced the impact (outages and others) of cyber attacks on the electric sector? How will they measure the success of this program? 10:40 What has CESER tried, thought it would work, and ended up failing?  14:05 CESER's CyTRICS program is testing vendor equipment? Why, does GE and Hitachi need help? And the results have been trivial vulnerabilities that could be found in hours. Why is CESER spending millions on this? 19:25 Cyber Informed Engineering (CIE) is it the same as Secure By Design? This is a long process, what will the early wins look like? Two years from now how will we know if we are succeeding? Maintaining a manual capability dominated the examples in the document, why hasn't this been highlighted in the program? How can we accelerate this? 25:20 Clean Energy Cyber Accelerator is looking at solutions (OT detection and MFA remote access to OT) that are well established with vendor offerings and asset owner deployments. Why is CECA doing this and trying to accomplish?  

Chris Blask has a long career bringing new ideas to reality. He currently is Vice President of Strategy at Cybeats, who has a SBOM Studio product. Cybeats is different in that SBOM Studio does not create SBOMs. This requires SBOMs to be available from somewhere, and Dale & Chris spend a lot of the podcast talking about the SBOM market today and in the future. What percentage of the OT software solutions have SBOMs today? What will that number be in three years, five years, seven years? When will the top 10% asset owners be able to be get value worth the effort from SBOMs and related tools and information? What will the SBOM marketplace look like? the DBOM.io project Of course being Dale and Chris, they deviate into a lot of other topics. Such as Chris's quotes: “Security comes through transparency and automation” “2020, this is the last decade of cybersecurity” “the last decade when entirely new fields will be discovered” I think we have covered the field.

The August 2021 Unsolicited Response episode with Edgard Capdevielle, CEO of Nozomi Networks, was a fan favorite. So Dale invited Edgard back, like the first time it was a wide ranging and fun conversation. His budget analogy of OT security and a new child in the family was Dale's favorite part. They cover a lot of ground including: the OT visibility and detection market growth in the last two years whether he stands by his 2021 view that a company that does "X, Y, Z and OT security" doesn't really do OT security how much of the back end (non-sensor) part of the market is moving to the cloud now and what will it be in three years. Plus some disagreements / discussion on architecture budget muscle and momentum what sort of metrics should an asset owner use to determine the value of these OT visibility and detection solutions how is the US Government affecting the market Enjoy!