I had the pleasure of interviewing Dan Geer on the S4x18 Main Stage for 30 minutes. He typically speaks from prepared papers, so an interview is a bit unique, and his papers provided plenty of topics and questions.
We covered a wide range of issues including:
Risk: The impact of complexity and dependencies. How redundancy can increase risk against a sentient opponent. The trade off between preventing random faults and protecting targeted faults.
The importance of eliminating silent failures. Even so far as raising the probability of failure if it eliminates or reduces silent failure.
Business risk acceptance when society would not make the same risk decision.
The need for “different” redundancy, two systems with no common mode failures. Manual is an obvious different redundancy, but can two cyber systems have no common mode failures?
The growing importance of integrity.
The value of patching or otherwise reducing vulnerabilities based on whether vulnerabilities are sparse or dense. The density of medical device vulnerabilities was discussed as an example.
Are we going to take the path of proof of correctness and rigid change control or almost constant change?
This episode was sponsored by CyberX. Founded by military cyber experts, CyberX has developed a platform that helps organizations continuously reduce ICS risk.