Tactical OT security is an approach that can make your OT security efforts more effective. Here is how.
If you are working in OT security, you will probably have noticed that most organizations struggle to gain any momentum with their security efforts. Some might not even have a good idea what it looks like to see, feel, and demonstrate progress. One reason for failing to pick up momentum has largely been underreported: An obsession to discuss and standardize concepts and first principles, resulting in paralysis at the execution level.
If this were war, it would look like your troops remain in the baracks, meticulously discussing Clausewitz and Sun Tzu while under full scale attack.
Discussing the principles of war is important, but not while the roof is just blown away by enemy fire. We have been discussing the concept of CIA/AIC and Security Assurance Levels for years to no good outcome. Hundreds of people are sweating over the question how to use a buerocratic monster such as the NIST Cyber Security Framework for operations technology, let alone the question what it actually gives you. In Germany, critical infrastructure operators are trying to figure out how ISO 27k could be applied to OT (mandated by regulation), whilst not even BSI themselves could tell you how to do it. In the meantime, hundreds or thousands of industrial facilities are infiltrated every day.
An indicator of doomed OT security — security efforts that will only result in frustration for everybody involved — is if you never actually operate at the tactical level. Tactical OT security is characterized by three properties:
1. Activities have a concrete association with known attack vectors. The value of activities may even be self-evident, such as blocking egress network traffic.
2. Results can be observed and measured. An example is the percentage of unidentified endpoints in your process networks, as shown by your monitoring solution.
3. Results are short-term. If you can’t demonstrate progress in weeks or even months, you’re not operating tactically.
At the end of the day, your OT security activities will not be judged by how well they align with best practices and feelgood concepts such as awareness. They will be judged by their effectiveness.
Review your OT security activities in respect to how well they match the criteria mentioned above. If you are not happy with the result, we may be able to help with advice and tools.