If you think OT security is about tracking the latest threats and neutralizing them in your OT environment, you have set yourself up for a constant struggle with no real hope or improvement plan. You will always be a step behind the latest threat intelligence. And that’s exactly where managed services providers want you, so you’ll need them forever. Talk about manufacturing job security.
The attacker/defender paradigm is seductive. It lures us into a never-ending cycle of chasing new threat intelligence, perpetuating the belief that progress is never sufficient. Threat intel dealers thrive on this cycle, ensuring that we remain dependent on their products.
The view is fundamentally flawed. It overlooks the broader context of OT security, reducing it to a mere battle between good and evil. This reductionist approach fails to account for the complexity of the systems we are trying to protect.
Related reading: Compound OT security gains
Going beyond OT security good vs. evil
The threat-centric view of OT security has become the root of much drama, hyperbole, and, unfortunately, stagnation in the field. It’s time to ask if this perspective is truly serving us, or to attempt a paradigm shift.
From an engineering perspective, a cyber-attack is not an isolated event. It’s a special case of a technical system, engineered by humans, being made to malfunction. Other examples include accidental misconfigurations or failure to undergo intentional (benevolent) change.
These non-malicious factors are far more frequent and can challenge the reliability of your OT system just as much as a malicious attack. By focusing solely on the threat-centric view, we ignore these aspects, leaving our systems vulnerable to a wider array of problems.
Building robust systems
What we need is a shift in perspective. Instead of obsessing over the attacker/defender dichotomy, we should strive to build robust systems. A robust system behaves reasonably well in all the mentioned scenarios, whether it’s a cyber-attack, accidental misconfiguration, or intentional change.
Robustification is the discipline of planning and designing robust systems, and of operating systems in a robust manner. Cyber robustification is not a technology; it’s a discipline that can be acquired and taught, and the results of its application can be measured and evaluated. To achieve or enhance cyber robustness, it is not necessary to incorporate new technology, to get rid of specific existing technology, or to buy specific products.
This design goal goes beyond enhanced cyber security. It accounts for the multifaceted challenges that OT systems face, providing a more comprehensive and resilient defense.
Building better OT systems
The attacker/defender dichotomy in OT security has led us down a path of endless pursuit without substantial progress. It’s time to break free from this cycle and embrace a more nuanced and engineering driven approach.
By recognizing that a cyber-attack is just one of many factors that can cause a system to malfunction, we can design systems that are not only more secure against malicious threats but also more reliable in the face of non-malicious challenges.
In the end, OT security is not about winning battles; it’s about building systems that can withstand the complex and ever-changing landscape of today’s technological world.
Let’s move beyond the drama and hyperbole and focus on creating robust solutions that serve us well in all scenarios. Let’s focus on what we can do – building robust and resilient OT networks – rather than on what we can’t — outpacing the hackers.
Final thoughts
OTbase is the quintessential productivity tool for your journey towards secure and resilient OT networks. Start with the OT Vulnerability Management Handbook from OTbase. It outlines a performance-based approach shaped by more than twenty years of experience in OT security consulting in everything from automotive factories to nuclear power plants.