WCW24

This presentation is an updated version of a briefing Waterfall has provided to a dozen government agencies to date, in Canada, the USA and around the world. We start with the Waterfall Threat Report, the most conservative and incontrovertible OT security incident report on the planet. In spite of its conservatism, the 2023 report shows exponential growth in cyber attacks that impair physical operations, including in the water sector. The 2024 edition is scheduled to release in April of 2024. In this briefing, Rees Machtemes will include a preview of the data and conclusions of the 2024 report-in-progress. The presentation then shifts gears from problem to solution, presenting an overview of the US DOE's initiative at Idaho National Laboratory, developing a Cyber Informed Engineering (CIE) body of knowledge. In layman's terms, CIE positions managing cyber risk to critical infrastructures as "a coin with two sides." One "side" is cybersecurity - teach engineering teams about cyber risks and cybersecurity mitigations - nothing new here. The other "side" is engineering - use powerful engineering tools, such as mechanical overpressure-relief valves and manual operations fallbacks to take entire classes of cyber risk off the table. These tools do not exist in IEC 62443, ISO 27001 or other cybersecurity guidance, the tools are powerful methods of addressing cyber risk, and they need to start being applied much more universally and systematically than they are today. We finish the presentation with an introduction to network engineering from Andrew's new book "Engineering-Grade OT Security: A manager's guide." The book "flies high and slow," introducing in a story-telling style important OT, risk, cybersecurity and engineering concepts that today's business decision-makers need in order to fulfill their due-care responsibilities to their stakeholders and to the public. Network engineering is positioned as living at the boundary between engineering and cybersecurity bodies of knowledge, deterministically protecting reliable operations as well as protecting safe operations in the face of nation-state-grade ransomware and other cyber threats. Free copies of the new book will be available to conference participants, courtesy of Waterfall Security Solutions.