Interesting dashboard about the impact of Bitcoin on my long-time home province.

Check out my latest podcast appearance on The Bitcoin Way podcast. These guys are on the front line of Bitcoin security, and I thoroughly enjoyed our conversation!

Chapter 4 of Defending Bitcoin - Industrial Control Systems and Securing Critical Infrastructure.

This one is from my career defending the industrial systems that keep the world running.

Industrial control systems are the computer and network layers running physical processes. Power plants. Water treatment facilities. Pipelines. Factory floors. When one of these systems gets hit, it's not a website that goes down, it's a real-world process that stops or fails in a way that can hurt people.

Defending these systems is a different job from defending a website. The IT side of cybersecurity can usually patch on a schedule and tolerate a few minutes of downtime. The operational side often can't, because the plant has to keep running, and any unplanned stop has real consequences. The two sides optimize for opposite things.

Chapter 4 walks through the architecture, the controls, and the culture of this critical infrastructure security. How a plant gets organized into network zones so a single compromise stays contained. How we organize security controls into categories, and use security levels to scale them up to resist a determined nation-state. How the IT and OT mindsets converge when you have to defend something that absolutely cannot fail.

This is the framework the rest of the book uses. Every threat chapter in Part II uses the ideas and vocabulary from Chapter 4. Next, we see how it all connects and applies to Bitcoin.

Chapter 4 of Defending Bitcoin - Industrial Control Systems and Securing Critical Infrastructure.

This one is from my career defending the industrial systems that keep the world running.

Industrial control systems are the computer and network layers running physical processes. Power plants. Water treatment facilities. Pipelines. Factory floors. When one of these systems gets hit, it's not a website that goes down, it's a real-world process that stops or fails in a way that can hurt people.

Defending these systems is a different job from defending a website. The IT side of cybersecurity can usually patch on a schedule and tolerate a few minutes of downtime. The operational side often can't, because the plant has to keep running, and any unplanned stop has real consequences. The two sides optimize for opposite things.

Chapter 4 walks through the architecture, the controls, and the culture of this critical infrastructure security. How a plant gets organized into network zones so a single compromise stays contained. How we organize security controls into categories, and use security levels to scale them up to resist a determined nation-state. How the IT and OT mindsets converge when you have to defend something that absolutely cannot fail.

This is the framework the rest of the book uses. Every threat chapter in Part II uses the ideas and vocabulary from Chapter 4. Next, we see how it all connects and applies to Bitcoin.

I had a great time telling Daniel all about Defending Bitcoin. Give it a listen to find out more about the book! We also cover the BIP-110 situation in quite a bit of deal, with my current reasoning made abundantly clear.

This is where the cybersecurity side of the book starts. Chapter 3 walks the core concepts the rest of the book runs on, in plain language.

It opens with the CIA triad (just a coincidence, I promise!), the three properties cybersecurity defends in every system. Confidentiality keeps information from anyone who shouldn't have it, integrity keeps it from being altered without authorization, and availability keeps it reachable for the people who need it. Every threat in Part II maps back to one of those three.

From there it gets into threat modeling, which is a structured discipline rather than a vibes-check. Before you defend anything, you ask who the adversary is, what the asset is, where the attack surface lies, and what the mitigation looks like. Run that formally and some threats turn out to be less important, while others turn out larger than you'd expect.

Then comes defense in depth, which is just the principle that you never lean on a single control. You layer them so each one stands on its own, and a failure in one doesn't cascade through the rest. The chapter walks how to design those layers so the whole system doesn't unwind from a single point.

We also formally define the concept of risk, measured as likelihood times impact. A threat that's devastating but unlikely calls for different controls than one that's common but survivable, and that matrix is how Part II keeps everything in proportion. Without it, the threat chapters that follow would read like a long list instead of a prioritized map.

By the end, you've got the cybersecurity vocabulary that the rest of the book depends on, and the bridge from "I hold Bitcoin" to "I'm responsible for defending a system I have a stake in."

Write a review on Amazon if you've read and liked Max's book! It helps the algorithm and gets this book in front of more eyes. Fiat bullshit and all that, but it works.

Max's book is seriously excellent, check it out if you haven't already!