Ed Bellis

I spend a lot of time with manufacturers and product teams who aren’t questioning whether they must comply with the Cyber Resilience Act (CRA) they’re stuck on the how. The CRA is clear on the obligations, but in practice the hard part is interpretation: software distributed online, products that depend on cloud back-ends, continuous updates, open-source components, product families, legacy models… This is exactly what the European Commission is trying to address now. The Commission is preparing a Communication (a guidance document) to explain how the CRA should be applied in real situations and to support a consistent approach across the EU. It’s not a new Regulation and it’s not “binding law” in itself but it matters because it clarifies how key provisions are expected to be understood and implemented in practice. https://lnkd.in/etm43Utx What I like in this draft is that it turns the CRA into practical “rules of the road”, especially on: • Software scope & “placing on the market” (including iterative releases) • What counts as the “product” when hardware depends on apps/drivers/software delivered separately • Open-source (FOSS): when it’s out of scope vs when it becomes a commercial activity, and the steward concept • Updates vs “substantial modifications”: focus on risk/attack surface/intended purpose, not release size • Support period: 5 years is a minimum, and how this works with versioned software/upgrade paths • Cloud / remote processing: what’s part of the product vs general IT infrastructure • Risk assessment & due diligence: manufacturers keep responsibility, including for third-party components The draft is open for feedback for a limited period, and comments are expected in a structured template (so they can consolidate input). If you build products that will fall under CRA, this is a very good moment to stress-test your assumptions and flag the parts that are unclear, unrealistic, or could lead to unintended consequences. I’m sharing the draft guidance here because, from what I see, the companies that will move fastest are the ones that turn these interpretations into concrete internal rules: scope mapping, update governance, support period policy, OSS governance, and evidence-ready documentation.

32

Good morning! Here is this week's ICS Advisory, Other CERT, and Vendor vulnerability advisories weekly summary for 23 - 27 February 2026. This past week, CISA released 12 new CISA ICS Advisories for the following vendors: Copeland, InSAT, CloudCharge, EV Energy, Chargemap, SWITCH EV, Mobility46, EV2GO, Gardyn, Johnson Controls, Inc. Pelco, Inc. and Schneider Electric. One update was released this past week for Honeywell Schneider Electric, Mitsubishi Electric, Hitachi Energy, ICONICS and Mitsubishi Electric. Based on the new CISA advisory, #Energy, #TransportationSystems, #Commercial #Facilities, #Healthcare and #PublicHealth, #Defense #Industrial Base, #Food and #Agriculture, Critical #Manufacturing, #Government #Facilities, #Financial #Services, #InformationTechnology, #Water and #WastewaterSystem are the potentially affected critical infrastructure (CI) sectors. The ICS Advisory Project identified 16 new ICS Advisories for Festo, ARC Informatique, Moxa, Phoenix Contact, ABB, Bosch Rexroth, Hitachi Energy, Ubiquiti Networks, Trumpf, PDUexperts, Socomec and one update for Hitachi Energy. View the summary details of other CERT & Vendor product advisories identified last week (23 - 27 February 2026) at: https://lnkd.in/efKiMsxs This past week, CISA added 3 new Known Exploited Vulnerability (KEV) Catalog. None added this week correlated to a CISA ICS Advisory. ICS Advisory Project identified one CVE: CVE-2020-11023 – JQuery Cross-Site Scripting (XSS) Vulnerability listed in the Festo advisory for CODESYS vulnerabilities in Festo Automation Suite [VDE-2025-108]. This week, ICS Advisory Project, powered by Industrial Data Works LLC, in collaboration with EmberOT, released our 2024–2025 ICS/OT Vulnerability Intelligence Report. Check it out at: https://lnkd.in/ehG4DNPs Thank you all at EmberOT for your amazing support in getting this report out this year. Acknowledgement: Thank you Mikael Vingaard at the ICSRange for sharing with ICS[AP] the new ICS Advisory for PDUexperts. Visit the ICS[AP] CISA KEV Catalog Dashboards: https://lnkd.in/emzXBbBw View previous ICS Advisory Project weekly summaries: https://lnkd.in/eQKxhAEi To view the updated ICS Advisory Project Dashboards, visit: icsadvisoryproject.com Sign up to receive ICS[AP] Weekly Summary Slides & Other CERT and Vendor Advisory Summaries via email every Monday https://lnkd.in/eUwQrrj4 I appreciate everyone's comments & support. Have a great week!  #CISA #ot #ics #otsecurity #icssecurity  #cybersecurity #cybersecurityawareness #industrialautomation #buildingautomation #oilandgas #maritime #vulnerabilitymanagement Disclaimer: The views expressed in my LinkedIn posts and profiles are my own, not those of my employers or LinkedIn.

29

New breakdown: NYDFS’s 2026 vishing advisory, mapped to identity detections and controls. The advisory describes a consistent pattern: attackers impersonate IT help desk staff, direct victims to a malicious link, capture credentials in real time, then prompt for the MFA code to immediately authenticate and obtain remote access. The sequence we see repeatedly: ↳ Password reset → new login from new geo/device within minutes ↳ New MFA device enrolled shortly after reset ↳ SSO session minted from a new IP / ASN, then immediate access to high-value apps ↳ Privilege escalation attempts after initial foothold The post also maps a concrete control to the help desk hinge point: Mutual TOTP verification, so resets and enrollments aren’t approved based on voice alone. Full breakdown → https://lnkd.in/gBv3e_Hk

8

Insider risk resources are often scarce, and many large organizations, such as Google, tend to address these issues only after well-publicized incidents. -https://lnkd.in/gxyAny7a. Marshall Heilman and the folks from DTEX partnered with the Ponemon Institute to release the "Cost of Insider Risk 2026 Global Report" - https://ponemon.dtex.ai/. This report is the gold standard in providing trends to evaluate and budget for your own Insider Risk program. Share it with your chronically underappreciated Insider Risk folks Key Insights - Total average annual cost of insider security incidents is US$19.5M - Companies with an insider risk management program save themselves from 7 incidents a year, saving on average 8.2 million dollars - Time to Containment is reduced with a commitment to budgeting for Insider Risk, with an average of 67 DAYS to contain, down from 86 in 2023 - They address the rising COST OF SHADOW AI with cost of $10.3M due to negligent insiders

19

I'd like to think that people would recognize an obvious point here. Safe, which relies on FAIR analytics, was miles ahead of even the other CRQ leaders in Forrester's analysis (and Safe isn't the only FAIR-based player in the market). If this doesn't blow a great big gaping hole in ridiculous claims that FAIR is somehow irrelevant in 2025, I don't know what will. Unfortunately, many of these claims about FAIR are driven by one of two things -- 1) ignorance, or 2) misinformation for competitive messaging. As far as ignorance goes, very often that's simply a mistaken belief that FAIR is dependent on SME estimates and/or relies solely on betaPERT distributions. Neither is true. If you have empirical data, FAIR can consume it. If you want to use a different distribution, FAIR's fine with that too. FAIR is a model, folks. It defines factors and their relationships -- period. As such, there are many ways to implement it, each with its strengths and weaknesses. Furthermore, FAIR describes how risk works, which doesn't change as the risk landscape changes. Yes, the details of the risk landscape (e.g., threats, assets, controls, etc.) change over time, but how RISK works (and therefore FAIR) is resilient to these changes. Think of this as being similar to Copernicus' observations of the solar system -- elliptical orbits, etc. Those observations describe how the solar system appears to behave. You may discover (or remove) planets but the nature of the system remains unchanged. I'm excited for my friends at Safe, who have worked very hard to get the product to where it is. But let's also recognize that CRQ is still largely thought of as a nice-to-have, and we're only going to overcome that by educating the market and raising risk measurement expectations, and not through misrepresentations.

116

11 Comments

Here’s a pattern I’m seeing more often: More sites. More assessments. More reporting expectations. Same headcount. Security teams are being asked to scale output without scaling structure. So what happens? Assessments become episodic. Reporting takes too long. Prioritization becomes subjective. And leaders spend more time translating risk than reducing it. This isn’t a capability issue. It’s an architecture issue. At some point, physical security has to operate with the same operational discipline as finance and IT. Otherwise it stays in permanent catch-up mode. For security people overseeing medium to large portfolios (20+ sites): What’s currently your biggest bottleneck volume, visibility, or validation? And why do you think this is?

5

1 Comment

I’ve been thinking about exposure management less as a tooling problem and more as a systems problem. When discovery grows faster than mobilization capacity, exposure doesn’t just increase — it compounds. That accumulation is exposure debt.

16

2 Comments

Audits and forensics aren’t witch-hunts to “name the hacker.” They’re how you stop the next breach. A good audit/forensic review will: Expose misconfigurations and control gaps Surface broken processes (people • tech • vendors) Produce a clear timeline to improve response Provide evidence for insurance claims and regulators Demonstrate senior management intent and due diligence One breach costs more—in money, trust, and time—than doing the work properly up front. At Tylers, we turn incidents into hardening plans: fixes, owners, deadlines. Not blame—better security. #CyberSecurity #DigitalTrust #Forensics #Audit #IncidentResponse #Tylers

17

2 Comments