cmplid

10 CFR 73.54

NITSL Conference Herf

Join cmplid:// and Sheffield Scientific for the 1st Annual Herf after Vendor Night at the NITSL Conference. July 19th 2017 at 9:45 PM at The Occidental Cigar Club in San Francisco. We a have a box of My Father Le Bijoux 1922 Toro cigars. Reserve your stick at the cmplid:// booth (#40) in the vendor hall Wednesday between 5:00 PM and 8:00 PM!

 » Read more about: NITSL Conference Herf  »

Read More »

The cmplid:// methodology and other ways of assessing security

cmplid:// is designed to support a very specific methodology of security analysis.  The method is resource-based, attribute-information, and objective-supporting.  Each of these aspects of the method provides increased  efficiency or increased effectiveness in the management of a security program.  However, the basic method is extremely flexible and allows organizations to implement their program in a manner that makes most sense to them.

To explain this a bit more fully, let’s compare the traditional approach for Nuclear Cyber Security programs based on NEI 08-09 (All controls must be addressed for all CDAs),

 » Read more about: The cmplid:// methodology and other ways of assessing security  »

Read More »

New Logic Visualization Feature in cmplid://

We have just released a new set of features in cmplid:// designed to assist users with better understanding the control application logic their cyber security programs implement.  One of those features is the visualization of the logic network configured within cmplid://.  This image shows a very high-level view of the Attributes and their values relevant to a nuclear cyber security program implementing NEI 08-09 or NRC RG 5.71.  This type of visualization can be extremely helpful throughout the plant modification process,

 » Read more about: New Logic Visualization Feature in cmplid://  »

Read More »

Vulnerability Management when you just can’t patch

Richard Dahl, founder and ceo of cmplid:// will be speaking at the ICS JWG Spring Meeting in Minneapolis April 11th – 13th. Stop by our booth and say hello if you’re attending.

Presentation Description:

Vulnerability Management is a difficult function in general, however, for Operational Technology environments, e.g., industrial control systems,
SCADA systems, IoT or other non-traditional technology managers, it is extremely problematic.
Generally, vulnerabilities can be classified as either those resulting from source-code errors or configuration issues within a software package.

 » Read more about: Vulnerability Management when you just can’t patch  »

Read More »

Presentation at ICS JWG Fall Conference

Richard Dahl, cmplid://’s CEO will be speaking at the ICS JWG Fall Conference September 13-15 in Ft. Lauderdale, FL.

A Simplified Approach to Implementing the NIST CSF within Operational Technologies

The NIST Framework for Improving Critical Infrastructure provides guidance for many industries for securing Information Technology (IT) and Operational Technology (OT) systems supporting critical functions and processes.  Use of the framework provides system owners with a view of deployed security postures and technical outcomes desired that can be used to manage cyber security risks. 

 » Read more about: Presentation at ICS JWG Fall Conference  »

Read More »

Fixing RG 5.71/NEI 08-09

At the NITSL conference last week in Charlotte I had a great discussion with some really smart people from a US Nuclear Licensee.  They were all former colleagues of mine from my past life as a consultant.  One of them asked the group of us what we would do to improve or replace NEI 08-09 in order to make the cyber security program for nuclear power plants sustainable.

I love the challenge of the question but feel that in order to answer it,

 » Read more about: Fixing RG 5.71/NEI 08-09  »

Read More »

NITSL 2016

cmplid:// will be at NITSL in Charlotte July 18-21.  Come check us out Wednesday night for your chance to win a Bowers & Wilkins T7 bluetooth speaker.  Sounds Amazing!  We will of course, be providing live demos of the best security management automation solution known to man.

151326-powerpoint-slide-final

 » Read more about: NITSL 2016  »

Read More »

Tilting at Windmills

My last few blog posts (here, here and here) have been critical of the state of the Cyber Security Program being implemented at US nuclear plants. I realize that, it was my intention.  There are opportunities for improvement as I have said.  I believe that the Nuclear Cyber Security issues I have critiqued are due to the inexperience and steep learning curve faced by the NRC and the nuclear power industry at the beginning of this initiative and I am sure that “if they had known then…”

 » Read more about: Tilting at Windmills  »

Read More »

Mistakes in the development of RG 5.71/NEI 08-09

Mistakes happen to all humans in all endeavors.  The purpose of this post is NOT to criticize or shame anyone, but rather to point out some opportunities for improving NEI 08-09 Rev 7.  The current version of that document (the basis for the Cyber Security Plans at nuclear licensees in the US) has a number of issues.  I spoke about the overall issues here and in my previous post I spoke about specific controls included that provide no value. 

 » Read more about: Mistakes in the development of RG 5.71/NEI 08-09  »

Read More »

Examples of Unnecessary RG 5.71/NEI 08-09 Controls

In my previous post I expressed my opinion that the Nuclear Cyber Security Plans at US licensees have some deficiencies.  In this post I want to talk about a couple of examples of the unnecessary controls within RG 5.71 and NEI 08-09.  These controls, and perhaps others, should be removed from the next revision of NEI 08-09, as it should be obvious they are not necessary to protect SSEP functionality at any nuclear plant.

D 2.10 Non-Repudiation: This technical cyber security control ensures the protection of CDAs and audit records against an individual falsely denying they performed a particular action.

 » Read more about: Examples of Unnecessary RG 5.71/NEI 08-09 Controls  »

Read More »