By Ralph Langner
Is OT security all about tracking the latest threats and trying to neutralize them in your OT environment? If that is your worldview, you have set yourself up for a constant struggle with no real hope or plan for improvement. You will always be a step behind what the latest threat intelligence suggests. And that’s for a reason: This is exactly where managed services provides want to have you. You’ll be hooked forever.
The attacker/defender paradigm is seductive. It lures us into a never-ending cycle of chasing new threat intelligence, perpetuating the belief that progress is never sufficient. Threat intel dealers thrive on this cycle, ensuring that we remain dependent on their products.
Beyond good vs. evil
But this view is fundamentally flawed. It overlooks the broader context of OT security, reducing it to a mere battle between good and evil. This reductionist approach fails to account for the complexity of the systems we are trying to protect.
The threat-centric view of OT security has become the root of much drama, hyperbole, and, unfortunately, stagnation in the field. It’s time to ask if this perspective is truly serving us, or to attempt a paradigm shift.
From an engineering perspective, a cyber attack is not an isolated event. It’s a special case of a technical system, engineered by humans, being made to malfunction. Other examples include accidental misconfiguration or the inability to undergo intentional (benevolent) change.
These non-malicious factors are far more frequent and can challenge the reliability of your OT system just as much as a malicious attack. By focusing solely on the threat-centric view, we ignore these aspects, leaving our systems vulnerable to a wider array of problems.
Building Robust Systems
What we need is a shift in perspective. Instead of obsessing over the attacker/defender dichotomy, we should strive to build robust systems. A robust system behaves reasonably well in all the mentioned scenarios, whether it’s a cyber attack, accidental misconfiguration, or intentional change.
Robustification is the discipline of planning and designing robust systems, and of operating systems in a robust manner. Cyber robustification is not a technology; it’s a discipline that can be acquired and taught, and the results of its application can be measured and evaluated. To achieve or enhance cyber robustness, it is not necessary to incorporate a new technology, to get rid of specific existing technology, or to buy specific products.
This design goal goes beyond enhanced cyber security. It accounts for the multifaceted challenges that OT systems face, providing a more comprehensive and resilient defense.
The attacker/defender dichotomy in OT security has led us down a path of endless pursuit without substantial progress. It’s time to break free from this cycle and embrace a more nuanced and engineering driven approach.
By recognizing that a cyber attack is just one of many factors that can cause a system to malfunction, we can design systems that are not only more secure against malicious threats but also more reliable in the face of non-malicious challenges.
In the end, OT security is not about winning battles; it’s about building systems that can withstand the complex and ever-changing landscape of today’s technological world.
Let’s move beyond the drama and hyperbole and focus on creating robust solutions that serve us well in all scenarios. Let’s focus on what we can do – building robust and resilient OT networks – rather than on what we can’t — outpacing the hackers.