By Walt Boyes
For over a decade, we have been reacting to the fear of cyber intrusion into OT (Operations Technology) networks in our industrial process plants, refineries, pipelines, and drilling rigs. We have dropped everything to patch apparent vulnerabilities (Microsoft Patch Tuesday) and we have done very inconvenient things like banning portable media like USB sticks.
We have trained, untrained, and retrained OT personnel about all the various forms that a cyber or cyber-physical attack can take, from injected code to phishing attacks to cyber malware with evil sounding names.
We continue to attempt to use IT-oriented methodology for OT issues and we continue to argue with our CIOs about the real feasibility of maintaining up to date patching of software products and the use of obsolete software in control systems.
And yet, as is attributed to Albert Einstein, “the definition of insanity is doing the same things over and over and expecting different results.” Why are we doing this? It comes down to fear. We fear that somehow a cyber physical catastrophe will occur and we will not be able to stop it, and our plants will burn down, blow up, or at the very least lose days of production.
See also: The OT security crisis of 2025 (Video)
This fear has spawned a multi-billion-dollar industry. Companies have been started by venture capitalists and information scientists who often have no direct industrial controls and systems experience or expertise. They often have names that sound brave and reassuring, indicating they can tame your fears.
It is, in fact, bewildering. If you are an engineer, and not an IT specialist, or a cyber security guru, you can be pardoned from thinking that the cyber physical attack surface is completely out of control. You feel like the little Dutch boy with his finger in the dike, and there are two new holes just over there. Oh, look, there’s another.
“Many times, the effects of those events are rapidly repairable, if they do damage to the plant or enterprise at all.”
We should back up, take a deep breath, and rethink the way we are combatting OT cyber events. Many times, the effects of those events are rapidly repairable, if they do damage to the plant or enterprise at all.
We need to change the frame from fear into remediation of risk. First we need to know what the actual risks are. There are risks in missing firmware and software updates for your PLCs, Industrial PCs, and Windows PCs. We all risk that our computing devices age-out, become obsolete, and parts become unavailable. We can see the risks in not backing up critical OT systems. We can see the obvious risk of aging Windows computers crashing and causing downtime, or data loss, or both.
And how about the very real risk that somebody on your staff, or more than one somebody, will retire, or die, without passing on extremely critical information, including configuration details.
Here’s something to note: all of those risk vectors are internal, not external. That means that they are threats that can be dealt with and corrected on the inside of your organization, without looking for a threat perpetrator from outside.
See also: The OT cyber risk they didn’t tell you about