By Ralph Langner
OT security is important, right? I couldn’t agree more. But what about the way that OT security has taken over the last couple of years? Here is where things get murky. On the positive side, one cannot complain about the lack of attention that the topic has gotten and neither about a lack of venture capital funding for startup companies in the sector. So far, so good. But how much progress was made? How can it be that despite the fact that all the attention and budget OT security has received over the last decade, we are constantly warned about increasing threats and attacks? The answer is quite simple: The industry has mostly focused on threats rather than on other factors contributing to a more holistic or balanced OT security approach. It would look pretty distorted if we wanted to visualize this myopic fixation on threats in the well-known NIST Cyber Security Framework circle.
OT security has a myopic fixation on threat detection.
How can an industry fueled with billions of dollars in venture capital become fixated on a tiny piece of the overall OT security problem? Ok, that’s a rhetorical question. The simple answer is that fear attracts attention because successfully luring customers into ICS Detection products and procedures (think SOC analysts sifting through false positive alerts) will lock these customers into dependence. No matter what you think about the importance of anomaly detection, one thing is for sure: There is no trajectory for continuous improvement. You always start from scratch with the next alleged threat actor and the next funny bytes in your network traffic. And vendors will do their best to keep fear levels up, especially when it comes to subscription renewal. For every one less prone to fearmongering, it is pretty straightforward that network anomaly detection and threat intelligence are not the be-all and end-all of OT security.
Are threat actors the root of all evil in OT security?
The root cause of deficient OT security is not hackers. It’s the lack of cyber resilience. Historically, every OT attack exploited basic and well-known flaws in network architecture and security protocol. And guess what? Insufficient cyber resilience even goes beyond creating attack surfaces. The reality is that hackers and malware are just one factor challenging the reliability of complex OT networks and not even the most important. Other non-malicious factors are far more critical because they impact operations almost on a daily basis. Even though the negative consequences of accidental misconfigurations, inefficient engineering procedures, missing version control, etc., far exceed the damage done by actual OT attacks, they don’t get as much attention. They are not dramatized by vendors, the media, and the government and, therefore, often ignored. A resilient OT architecture not only keeps the hackers out but also protects against accidental misconfiguration, configuration drift, and product obsolescence that catches you by surprise.
OT risk beyond hackers that you need to care about.
The OTbase asset management system helps you on your journey towards OT resilience while at the same time allowing your engineers to achieve more with less. You can’t control hackers, but you can control the resilience of your OT installations. Or, as Master Yoda used to say, focus on what you can control and ignore the rest. Ok, I made this up, but I’m sure he would have said this when prompted. At least something like “On what you can control, focus you must. What you cannot control, not worry, should it you.”
The bottom line is this. OT security as we know it has vastly overplayed its hand with constant fearmongering in the blatant absence of confirmed successful cyber-physical attacks. It is time for a paradigm shift that brings us back to a more ROI-focused approach that addresses identification, protection, incident response, and recovery. Look at it this way. We didn’t see sophisticated cyber-physical attacks since Stuxnet. Not a single one. We see hundreds of opportunistic ransomware attacks that reach for the low-hanging fruit. The guiding light for what to prevent at this stage is no longer the catastrophic targeted cyber-physical attack executed by state-sponsored hackers but the identification and mitigation of vulnerabilities that make for the most likelihood of getting exploited. Is this achievable? Yes. Easily. Let’s stop the drama. Let’s stop the fixation on imaginary super hackers and start working on all the architectural flaws in OT infrastructures that have been known for decades. Some have called this “cyber hygiene.” I prefer “OT resilience,” as it also addresses neutral problem factors such as configuration drift, product obsolescence or even planned change. Reliable operation of our critical infrastructure, manufacturing, and other highly automated industries is too important to leave it to companies living off instilling fear, uncertainty, and doubt. It’s time to approach the problem with a more rational, engineering-oriented approach. That’s what OT resilience is all about.
Learn more about OTbase.
There are around 30+ products in the “ICS Detection” category, but OTbase isn’t one of them. You may have a hard time understanding how one ICS Detection product differs from the next, but it’s easy to see how OTbase differs from all of those. For a quick check if it could be the right product for your company’s journey toward efficient OT asset management, book a meeting with our experts for more background.
