By Ralph Langner
OT security is filled with vendors making grandiose claims about their ability to protect against cyber threats and save humanity from disaster. However, in reality, the value of these claims is often abstract and difficult to measure. As a result, many customers are left wondering whether their investment in OT security is worth it. Fact is that oftentimes the chances that an asset owner’s investment in ICS Detection technology and related services easily exceeds the damage that could reasonably be expected from a cyber-physical attack.
You don’t believe this? Well then you most likely haven’t done the math on cyber attacks, their frequency, and their actual cost for the victim. I’m not talking about unsubstantiated allegations by vendors who want to make you believe that any cyber attack would be catastrophic. I’m talking about real numbers. If you are interested in such numbers, check out the following video.
Can we conclude then that OT security isn’t worth it? Absolutely not. The $100k question is how OT security can achieve tangible results. Abstract concepts like “risk reduction” may sound impressive and make you feel better, but they do not provide any real (= hard currency) value to asset owners. The latter want to see things like cost savings, increased efficiency, and better control over systems that are hard to manage. And they also want to see measurable progress.
Making it happen actually isn’t too difficult! If you look at the security operations of any typical OT asset owner, you will quickly see that they struggle with
- Creating and maintaining an OT asset inventory as the foundation for everything else
- Vulnerability management
- Patch management, or implementation of compensating security controls
- Disaster recovery.
Characteristic for all these areas is that there isn’t enough manpower to actually make it happen in a meaningful way. The overworked engineering staff is one of the biggest problems the OT security industry is facing right now. But the answer to this problem is not to add more manpower – something that no asset owner has any desire to do, especially in today’s economy –, but to introduce automation.
The key to unlocking untapped value in OT security is enabling engineers to do more with less. This means giving them the tools and technologies they need to run their systems better without hiring more people. An OT asset inventory cannot be created manually unless for the smalles Ma-and-Pa shop. Vulnerability management cannot be done manually, no matter how many people you would assign to the task. And so on, you get the point. But those activities can be automated, yielding a rich data source that can be processed with state of the art analytics, and presented in state of the art dashboards (did I hear somebody say Power BI?).
Let’s get more concrete. Imagine you have figured out that your biggest cyber risk is associated with the hundreds of Windows 7 systems that you are still running – something that your OT asset management system can tell you within seconds. This insight prompts you to launch a project where all, or most of these systems are upgraded. In your asset management system, you and your management can track how the risk is diminished as you progress with your project. That’s tangible. Also tangible is all the hours you have saved by gathering info on those operating systems automatically, rather than launching a month long effort to try collect this data manually.
None of this is to say that abstract concepts like “risk reduction” are unimportant. On the contrary, risk reduction is an important part of OT security, and vendors must be able to give customers solutions that address their specific risks and vulnerabilities. But vendors must also be able to show how their solutions help customers in real ways if they want to win their trust and confidence. Guess what, our small example with the Windows 7 upgrades demonstrated how to make measurable progress against the biggest cyber risk in corporate America, which is ransomware! (In case you wonder, ransomware infections start with exploiting well known vulnerabilities of the Windows operating system.)
To conclude: OT security was obsessed with over-exaggerated threats by nebulous super hackers for way too long. The OT security industry needs a shift from grandiose claims about saving the world to delivering tangible results. Those results may not sexy and don’t cater to drama such as epic fights between good and evil. But they will substantially reduce the attack surface of OT asset owners, while allowing to get scrutinized for return on investment.