By Walt Boyes
When you want to control something, you must measure it. You cannot control something you cannot measure. That’s what we do in OT- we measure and then control the variables that are meaningful to the process we manage. There are other variables available to us, but they are not meaningful to the process, and so we ignore them.
But the way we handle OT security is not how we handle process control. We are entirely reactive to problems and perceived or potential attacks on our OT networks. We scurry from one attack vector to another without a clear understanding of what we are doing or how these attack vectors will affect the OT processes we are supposed to control.
OT threat detection vendors’ needless fearmongering
Unfortunately, the big cybersecurity companies encourage this by publishing lists of new vulnerabilities and patches daily. Every new vulnerability in the OT space must take first priority over all the other vulnerabilities already exposed—without much regard for the probability the new vulnerability is destined to cause problems in your network. It isn’t an accident that we all feel overwhelmed by the concept of OT vulnerability management.
Webinar: OT security marketing fails
So, let’s take a step back for a minute. Let’s look at what we have that we can measure and control and what we can’t. We have a whole plant full of assets. We know what they are, or we can know what they are if we do an OT asset inventory. We are completely in control of the assets we have.
In comparison, with vulnerabilities, we never know their status, which one is the most important, which are critical, or whether a new vulnerability will knock all the other vulnerabilities out of order so that we have to start over again in planning to maintain the OT cyber systems we are responsible for.
Patching without prioritization is useless
And what do we do? Every Tuesday, we get new patches from Microsoft and other software vendors. We get patches from every hardware and firmware vendor from time to time. We must determine which of our OT assets has been updated and whether the update works as advertised. In the back of our minds, we remember a previous patch from the very large OT controls software vendor that worked fine for 364 days and then locked the whole system up—bricked it. We don’t know whether to apply patches to older systems or let them be vulnerable. We, in fact, are not in control of the OT assets we think we are.
Watch: Why patching is not sustainable in OT environments
Our OT assets have differing models: hardware, firmware, software, and we don’t always know which is which. Sometimes it is very hard to get to the physical device because it is up three stories above a catwalk, or it is in a hazardous area. Often, the “as-built” drawings and the process and instrumentation design (P&ID) schedules are out-of-date and not corrected for years.
And on a daily, weekly, or monthly basis we must report to management how secure our OT assets really are.
Every OT security journey begins with an OT asset inventory. Learn more about OTbase here.
This is the third article in a four-part series. The next article will be published on April 27, 2025. Click here to read Part 1 and Part 2.