Donovan Tindill

Donovan Tindill

Edmonton, Alberta, Canada
2K followers 500+ connections

About

I have a unique background in OT cybersecurity over the last 22 years. At my core is a…

Activity

Join now to see all activity

Experience

Education

Licenses & Certifications

Publications

  • Conference Presentation: What’s Missing in Our ICS Security Program? Profiling the Current State of a Program and Developing a Site-Specific or Company-Wide Roadmap

    ICSJWG Spring Meeting, Scottsdale, AZ

    ICS security professionals and experts have a large number of security standards and guidance to reference in the development of their ICS security program (e.g., ISO 27000, IEC/ISA 62443, NIST CSF, COBIT). The challenge is selecting a standard and then trying to apply it to a control systems environment at a single site or across a fleet of facilities and systems. This presentation begins by describing the traditional ‘assessment-based’ approach to ICS security, its weaknesses, and how it will…

    ICS security professionals and experts have a large number of security standards and guidance to reference in the development of their ICS security program (e.g., ISO 27000, IEC/ISA 62443, NIST CSF, COBIT). The challenge is selecting a standard and then trying to apply it to a control systems environment at a single site or across a fleet of facilities and systems. This presentation begins by describing the traditional ‘assessment-based’ approach to ICS security, its weaknesses, and how it will struggle to “get ahead” of the problems that lead to insecure ICS. The next topic is sharing a cyber security framework that builds upon existing technical frameworks (e.g., 62443-3-3 security levels), maturity models (e.g., CMMI, MIL), and procedural frameworks (e.g., NIST CSF, 62443-2-1). Using examples, this framework is then used to benchmark the ‘current state’ of any asset owner’s ICS security program, the target state, and how to lay out a roadmap to achieve it.

    See publication
  • Conference Presentation: 'Profiling' an ICS Security Program

    ISA Edmonton Automation Expo & Conference (AEC)

    What’s Missing in our ICS Security Program? Profiling the Current State of a Program and Developing a Site-Specific or Company-Wide Roadmap Leveraging 62443, NIST CSF, and a maturity model.

    See publication
  • Conference Presentation: 'Profiling' an ICS Security Program

    Public Safety Canada ICS Security Workshop

    What’s Missing in our ICS Security Program? Profiling the Current State of a Program and Developing a Site-Specific or Company-Wide Roadmap Leveraging 62443, NIST CSF, and a maturity model.

    See publication
  • ISA-TR62443-2-3-2015, Security for industrial automation and control systems Part 2-3: Patch management in the IACS environment

    Internation Society of Automation (ISA) and International Electrotechnical Commission (IEC)

    In 2008, I was consulting with a customer on control systems patch management for CIP compliance. At the time, there was no guidance available on how to setup or perform patching on mission critical control systems and proceeded to develop a program for my customers. After little progress in ISA and others, in 2010 I volunteered into a leadership role with ISA and documented all of the lessons learned and guidance for control systems patch management. Due to my contributions and leadership, the…

    In 2008, I was consulting with a customer on control systems patch management for CIP compliance. At the time, there was no guidance available on how to setup or perform patching on mission critical control systems and proceeded to develop a program for my customers. After little progress in ISA and others, in 2010 I volunteered into a leadership role with ISA and documented all of the lessons learned and guidance for control systems patch management. Due to my contributions and leadership, the co-chairs Florian and Bill nominated me to co-chair alongside them. After 4 long years, this technical report is officially published and available for all industrial asset owners and vendors to learn from.

    Other authors
    See publication
  • Presentation: Lessons Learned from the Field - Active Directory in Control Systems

    DigitalBond S4 2015

    Many control systems don’t have domains or leverage them only for user authentication. They are intended to help centralize the maintenance and management of a large group of member computers, as well as huge productivity gains for administration, implementing change, and consistency. This session will cover lessons learned of Active Directory domains and their use with control systems, from someone who deals only with control system environments. What works, what to avoid, guidance on how to…

    Many control systems don’t have domains or leverage them only for user authentication. They are intended to help centralize the maintenance and management of a large group of member computers, as well as huge productivity gains for administration, implementing change, and consistency. This session will cover lessons learned of Active Directory domains and their use with control systems, from someone who deals only with control system environments. What works, what to avoid, guidance on how to plan & implement certain features, and useful things you may not have known about. This is not an introduction to Active Directory, it is intended for those that have familiarity with Active Directory, its purpose, basic administration and group policy management.

    See publication
  • Presentation: Adapting Safety Strategies to your ICS Cyber Security Program

    ICS Cyber Security Conference 2014, SecurityWeek

    Health, safety, and environment (HSE) programs are deeply ingrained in every organization and industrial site we work with. The benefits of HSE programs are reduced injuries, reduced lost time incidents, and reduced liability and insurance costs as a result. Safety programs have a long history of statistical evidence showing how different types of documented unsafe work conditions, near misses, and incidents have been reduced through training, reinforcement, and controls. Each safety program is…

    Health, safety, and environment (HSE) programs are deeply ingrained in every organization and industrial site we work with. The benefits of HSE programs are reduced injuries, reduced lost time incidents, and reduced liability and insurance costs as a result. Safety programs have a long history of statistical evidence showing how different types of documented unsafe work conditions, near misses, and incidents have been reduced through training, reinforcement, and controls. Each safety program is a continuous cycle, with each year building upon the good practices of the last and working towards zero incidents. The subject of cyber security for industrial control systems (ICS) does not have the benefit of decades of statistics, legislation, training, and budgets to build on, but are as important as their conventional mechanical and human counterparts. While many organizations dedicate countless hours to protecting their employees and their physical assets, the cyber security of ICS assets are strangely neglected in many organizations.
    This presentation identifies the linkages, statistics, history, and effectiveness of health & safety with security & reliability. It will covers the effective strategies in a safety program that can be applied to increase the effectiveness of an ICS cyber security program

    See publication
  • Presentation: Leveraging DCS Modernization for Cyber Security

    Honeywell Users Group 2014, San Antonio

    This presentation is the result of a multi-year project for DCS modernization that was expanded to also address cyber security requirements. Anyone planning to upgrade their control system must also include security at the same time. The presentation provides guidance how to get management approval, described the consultative project approach, technical challenges, network filtering, user account managment, and lastly the long-term benefits. This was presented at Honeywell Users Group and…

    This presentation is the result of a multi-year project for DCS modernization that was expanded to also address cyber security requirements. Anyone planning to upgrade their control system must also include security at the same time. The presentation provides guidance how to get management approval, described the consultative project approach, technical challenges, network filtering, user account managment, and lastly the long-term benefits. This was presented at Honeywell Users Group and co-presented with Customer personnel from both their DCS Controls and IT Security groups.

    See publication
  • Paper: Identifying CIP Version 5 Assets in Generation

    Power Magazine

    The latest version of Critical Infrastructure Protection standards applies to different facilities and assets than previous versions, so the first, critical step in compliance is to determine which facilities and assets are subject to the new standards.

    Other authors
    See publication
  • Cyber Security Blog: InSecurity.honeywellprocess.com

    Honeywell

    Follow the link to Honeywell InSecurity blog to a collection of those articles that I have written. I recommend:
    "Importance of People-Process-Technology to Cyber Security Effectiveness",
    "Rating Risk is Not the Same as Risk Management",
    "ISA99 Patch Management Update",
    and results of my research on "How Can I Reduce Staffing for Compliance?"

    See publication
  • Contribution: ISA-62443-1-1 Clause 7 "Security Essentials"

    International Society of Automation (ISA)

    As part of my participation in ISA99/IEC62443 I presented a proposal to the committee on how we should adopt the security concepts of people, processes, and technology into the the ISA-62443-1-1 Terminology, Concepts and Models document. To establish a mature and robust cyber security program requires that attention and resources are devoted to the principles of “people”, “processes”, and “technology”. I introduced the concept, provided examples and use-cases, defined each aspect in detail and…

    As part of my participation in ISA99/IEC62443 I presented a proposal to the committee on how we should adopt the security concepts of people, processes, and technology into the the ISA-62443-1-1 Terminology, Concepts and Models document. To establish a mature and robust cyber security program requires that attention and resources are devoted to the principles of “people”, “processes”, and “technology”. I introduced the concept, provided examples and use-cases, defined each aspect in detail and concluded with a visual representation. My contribution received overwhelming support and is now a permanent addition to ISA-62443-1-1 as informative clause "Security Essentials" (formerly known as Security Aspects). The visual representation is also widely used by other ISA99/IEC62443 members when describing these foundational concepts to others.

    See publication
Join now to see all publications

Organizations

  • International Society of Automation (ISA)

    ISA-99 Committee Member (62443 Cybersecurity Standards)

    Since almost the beginning of when ISA-99 Committee for ICS Cybersecurity was formed, I've supported the group in various forms and roles (Information Member, Reviewer, Voting Member, Contributor, Working Group co-Chair, Editor, Trainer, etc.). Today, I continue to inform, promote, and train others on the various 62443 Standards and how to use them.

More activity by Donovan

View Donovan’s full profile

  • See who you know in common
  • Get introduced
  • Contact Donovan directly
Join to view full profile

Other similar profiles

Explore collaborative articles

We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.

Explore More

Add new skills with these courses