About
I have a unique background in OT cybersecurity over the last 22 years. At my core is a…
Activity
-
Great work Donovan Tindill and DeNexus. I will add a little add on flavor to how real this is. Cyolo's, SI and Reseller partners engaged us on 308…
Great work Donovan Tindill and DeNexus. I will add a little add on flavor to how real this is. Cyolo's, SI and Reseller partners engaged us on 308…
Liked by Donovan Tindill
-
🚨 92% of Industrial Sites at Risk from Unsecured Remote Services DeNexus' latest report and analysis quantifies the cyber risks associated with…
🚨 92% of Industrial Sites at Risk from Unsecured Remote Services DeNexus' latest report and analysis quantifies the cyber risks associated with…
Liked by Donovan Tindill
-
I invite others to join me at the next ICS Security Symposium hosted by Public Safety Canada | Sécurité publique Canada focused on OT cybersecurity…
I invite others to join me at the next ICS Security Symposium hosted by Public Safety Canada | Sécurité publique Canada focused on OT cybersecurity…
Shared by Donovan Tindill
Experience
Education
Licenses & Certifications
-
Pragmatic Marketing Certification Level IV (PMC-IV for Focus, Market, Launch, Price)
Pragmatic Institute
Issued -
Evaluating Your Organization’s Readiness for NERC Compliance Audit
Sponsored by Western Electric Coordinating Council (WECC) and delivered by Baker Tilly International
Issued -
Global Industrial Cyber Security Professional (GICSP)
SANS Global Information Assurance Certification (GIAC)
Issued Expires -
Certified Information Systems Security Professional (CISSP)
ISC2 (International Information Systems Security Certification Consortium)
Issued Expires -
-
Alberta Reliability Standards (ARS) for Critical Infrastructure Protection (CIP) Version 5
Sponsored by Alberta Electric System Operator (AESO) and delivered by Network Security Technologies
Issued Expires -
-
DHS CSSP Control Systems Cyber Security 5-day Advanced Training (301)
Hosted by Idaho National Labs (INL) at the Control Systems Analysis Center in Idaho Falls, ID to attack/defend real industrial control systems.
Issued Expires
Publications
-
Conference Presentation: What’s Missing in Our ICS Security Program? Profiling the Current State of a Program and Developing a Site-Specific or Company-Wide Roadmap
ICSJWG Spring Meeting, Scottsdale, AZ
ICS security professionals and experts have a large number of security standards and guidance to reference in the development of their ICS security program (e.g., ISO 27000, IEC/ISA 62443, NIST CSF, COBIT). The challenge is selecting a standard and then trying to apply it to a control systems environment at a single site or across a fleet of facilities and systems. This presentation begins by describing the traditional ‘assessment-based’ approach to ICS security, its weaknesses, and how it will…
ICS security professionals and experts have a large number of security standards and guidance to reference in the development of their ICS security program (e.g., ISO 27000, IEC/ISA 62443, NIST CSF, COBIT). The challenge is selecting a standard and then trying to apply it to a control systems environment at a single site or across a fleet of facilities and systems. This presentation begins by describing the traditional ‘assessment-based’ approach to ICS security, its weaknesses, and how it will struggle to “get ahead” of the problems that lead to insecure ICS. The next topic is sharing a cyber security framework that builds upon existing technical frameworks (e.g., 62443-3-3 security levels), maturity models (e.g., CMMI, MIL), and procedural frameworks (e.g., NIST CSF, 62443-2-1). Using examples, this framework is then used to benchmark the ‘current state’ of any asset owner’s ICS security program, the target state, and how to lay out a roadmap to achieve it.
-
Conference Presentation: 'Profiling' an ICS Security Program
ISA Edmonton Automation Expo & Conference (AEC)
What’s Missing in our ICS Security Program? Profiling the Current State of a Program and Developing a Site-Specific or Company-Wide Roadmap Leveraging 62443, NIST CSF, and a maturity model.
-
Conference Presentation: 'Profiling' an ICS Security Program
Public Safety Canada ICS Security Workshop
What’s Missing in our ICS Security Program? Profiling the Current State of a Program and Developing a Site-Specific or Company-Wide Roadmap Leveraging 62443, NIST CSF, and a maturity model.
-
ISA-TR62443-2-3-2015, Security for industrial automation and control systems Part 2-3: Patch management in the IACS environment
Internation Society of Automation (ISA) and International Electrotechnical Commission (IEC)
In 2008, I was consulting with a customer on control systems patch management for CIP compliance. At the time, there was no guidance available on how to setup or perform patching on mission critical control systems and proceeded to develop a program for my customers. After little progress in ISA and others, in 2010 I volunteered into a leadership role with ISA and documented all of the lessons learned and guidance for control systems patch management. Due to my contributions and leadership, the…
In 2008, I was consulting with a customer on control systems patch management for CIP compliance. At the time, there was no guidance available on how to setup or perform patching on mission critical control systems and proceeded to develop a program for my customers. After little progress in ISA and others, in 2010 I volunteered into a leadership role with ISA and documented all of the lessons learned and guidance for control systems patch management. Due to my contributions and leadership, the co-chairs Florian and Bill nominated me to co-chair alongside them. After 4 long years, this technical report is officially published and available for all industrial asset owners and vendors to learn from.
Other authorsSee publication -
Presentation: Lessons Learned from the Field - Active Directory in Control Systems
DigitalBond S4 2015
Many control systems don’t have domains or leverage them only for user authentication. They are intended to help centralize the maintenance and management of a large group of member computers, as well as huge productivity gains for administration, implementing change, and consistency. This session will cover lessons learned of Active Directory domains and their use with control systems, from someone who deals only with control system environments. What works, what to avoid, guidance on how to…
Many control systems don’t have domains or leverage them only for user authentication. They are intended to help centralize the maintenance and management of a large group of member computers, as well as huge productivity gains for administration, implementing change, and consistency. This session will cover lessons learned of Active Directory domains and their use with control systems, from someone who deals only with control system environments. What works, what to avoid, guidance on how to plan & implement certain features, and useful things you may not have known about. This is not an introduction to Active Directory, it is intended for those that have familiarity with Active Directory, its purpose, basic administration and group policy management.
-
Presentation: Adapting Safety Strategies to your ICS Cyber Security Program
ICS Cyber Security Conference 2014, SecurityWeek
Health, safety, and environment (HSE) programs are deeply ingrained in every organization and industrial site we work with. The benefits of HSE programs are reduced injuries, reduced lost time incidents, and reduced liability and insurance costs as a result. Safety programs have a long history of statistical evidence showing how different types of documented unsafe work conditions, near misses, and incidents have been reduced through training, reinforcement, and controls. Each safety program is…
Health, safety, and environment (HSE) programs are deeply ingrained in every organization and industrial site we work with. The benefits of HSE programs are reduced injuries, reduced lost time incidents, and reduced liability and insurance costs as a result. Safety programs have a long history of statistical evidence showing how different types of documented unsafe work conditions, near misses, and incidents have been reduced through training, reinforcement, and controls. Each safety program is a continuous cycle, with each year building upon the good practices of the last and working towards zero incidents. The subject of cyber security for industrial control systems (ICS) does not have the benefit of decades of statistics, legislation, training, and budgets to build on, but are as important as their conventional mechanical and human counterparts. While many organizations dedicate countless hours to protecting their employees and their physical assets, the cyber security of ICS assets are strangely neglected in many organizations.
This presentation identifies the linkages, statistics, history, and effectiveness of health & safety with security & reliability. It will covers the effective strategies in a safety program that can be applied to increase the effectiveness of an ICS cyber security program -
Presentation: Leveraging DCS Modernization for Cyber Security
Honeywell Users Group 2014, San Antonio
This presentation is the result of a multi-year project for DCS modernization that was expanded to also address cyber security requirements. Anyone planning to upgrade their control system must also include security at the same time. The presentation provides guidance how to get management approval, described the consultative project approach, technical challenges, network filtering, user account managment, and lastly the long-term benefits. This was presented at Honeywell Users Group and…
This presentation is the result of a multi-year project for DCS modernization that was expanded to also address cyber security requirements. Anyone planning to upgrade their control system must also include security at the same time. The presentation provides guidance how to get management approval, described the consultative project approach, technical challenges, network filtering, user account managment, and lastly the long-term benefits. This was presented at Honeywell Users Group and co-presented with Customer personnel from both their DCS Controls and IT Security groups.
-
Paper: Identifying CIP Version 5 Assets in Generation
Power Magazine
The latest version of Critical Infrastructure Protection standards applies to different facilities and assets than previous versions, so the first, critical step in compliance is to determine which facilities and assets are subject to the new standards.
Other authorsSee publication -
Cyber Security Blog: InSecurity.honeywellprocess.com
Honeywell
Follow the link to Honeywell InSecurity blog to a collection of those articles that I have written. I recommend:
"Importance of People-Process-Technology to Cyber Security Effectiveness",
"Rating Risk is Not the Same as Risk Management",
"ISA99 Patch Management Update",
and results of my research on "How Can I Reduce Staffing for Compliance?" -
Contribution: ISA-62443-1-1 Clause 7 "Security Essentials"
International Society of Automation (ISA)
As part of my participation in ISA99/IEC62443 I presented a proposal to the committee on how we should adopt the security concepts of people, processes, and technology into the the ISA-62443-1-1 Terminology, Concepts and Models document. To establish a mature and robust cyber security program requires that attention and resources are devoted to the principles of “people”, “processes”, and “technology”. I introduced the concept, provided examples and use-cases, defined each aspect in detail and…
As part of my participation in ISA99/IEC62443 I presented a proposal to the committee on how we should adopt the security concepts of people, processes, and technology into the the ISA-62443-1-1 Terminology, Concepts and Models document. To establish a mature and robust cyber security program requires that attention and resources are devoted to the principles of “people”, “processes”, and “technology”. I introduced the concept, provided examples and use-cases, defined each aspect in detail and concluded with a visual representation. My contribution received overwhelming support and is now a permanent addition to ISA-62443-1-1 as informative clause "Security Essentials" (formerly known as Security Aspects). The visual representation is also widely used by other ISA99/IEC62443 members when describing these foundational concepts to others.
Organizations
-
International Society of Automation (ISA)
ISA-99 Committee Member (62443 Cybersecurity Standards)
Since almost the beginning of when ISA-99 Committee for ICS Cybersecurity was formed, I've supported the group in various forms and roles (Information Member, Reviewer, Voting Member, Contributor, Working Group co-Chair, Editor, Trainer, etc.). Today, I continue to inform, promote, and train others on the various 62443 Standards and how to use them.
More activity by Donovan
-
Join Public Safety Canada | Sécurité publique Canada for this Industrial Cybersecurity Symposium next Wednesday, November 20th. DeNexus OT…
Join Public Safety Canada | Sécurité publique Canada for this Industrial Cybersecurity Symposium next Wednesday, November 20th. DeNexus OT…
Liked by Donovan Tindill
-
We are very excited that DeNexus has been chosen as a finalist in the Security Trailblazers category of this year's Tech Trailblazers Awards. Final…
We are very excited that DeNexus has been chosen as a finalist in the Security Trailblazers category of this year's Tech Trailblazers Awards. Final…
Liked by Donovan Tindill
-
🏆 We are thrilled to announce that DeNexus was recognized as the winner of the Most Innovative Cyber Risk Quantification category of Cyber Defense…
🏆 We are thrilled to announce that DeNexus was recognized as the winner of the Most Innovative Cyber Risk Quantification category of Cyber Defense…
Liked by Donovan Tindill
-
Today is the day! Donovan Tindill will speak at SecurityWeek ICS Cybersecurity Conference in Atlanta about how to quantify your financial exposure to…
Today is the day! Donovan Tindill will speak at SecurityWeek ICS Cybersecurity Conference in Atlanta about how to quantify your financial exposure to…
Liked by Donovan Tindill
-
Donovan Tindill, Director of OT Cybersecurity at DeNexus, will speak about OT/ICS Cyber Risk Quantification and Management during the SecurityWeek…
Donovan Tindill, Director of OT Cybersecurity at DeNexus, will speak about OT/ICS Cyber Risk Quantification and Management during the SecurityWeek…
Liked by Donovan Tindill
-
Join me at SecurityWeek ICS Cybersecurity Conference this week as I will be sharing case studies on Financial Quantification of Cyber Risk in ICS/OT…
Join me at SecurityWeek ICS Cybersecurity Conference this week as I will be sharing case studies on Financial Quantification of Cyber Risk in ICS/OT…
Shared by Donovan Tindill
-
Something to follow. A federal grand jury returned an indictment charging a the CEO of a #datacenter company with fraud against the United States…
Something to follow. A federal grand jury returned an indictment charging a the CEO of a #datacenter company with fraud against the United States…
Liked by Donovan Tindill
Other similar profiles
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore More