By Walt Boyes 

Our last article identified some serious and quantifiable risks for cyberinfrastructure failure not caused by external threat actors. These risks form the basis for most cyber threats OT companies face. 

Are there real external threats? Of course. However, many OT companies don’t understand these numbers are extremely small compared to the internal risks we identified. 

The fearmongers in OT security  

Unfortunately, cybersecurity companies have raised so much fuss and dust about external penetration of your OT systems that people aren’t even thinking about the basic blocking and tackling. Rigorously doing so can strengthen your systems so that external penetrations do not find easy entrance or easy marks once inside. 

It isn’t sexy. It isn’t exciting. But protecting your systems, people, and products is the most valuable thing you can do.  

Watch: Has OT threat detection failed? 

So why aren’t we doing this? The vast majority of cybersecurity companies are selling detection services. That is, they are focused on finding and clearing external threats. Not only are they focused on external threats, many of them pay teams of “researchers” to find and expose new vulnerabilities in OT products. Some of these cybersecurity companies publish exploit frameworks—a “how to” manual for hackers. Very few people call out the big cyber companies for what they are doing: demand generation marketing, based on creating increased fear. Sticking suggestive names to malware like Industroyer! or Crashoverride! and many more can bring you, and more likely your management (who usually aren’t either IT or OT systems savvy) into spending copious amounts of money when the risk of suffering disastrous consequences is astronomically low. The money goes away, and your systems are not any more secure than they were. 

As long as the big, venture-capital-based cybersecurity companies continue to make money, they will continue to do this to you. 

Webinar: The OT security crisis of 2025 

Treating OT security fearmongering 

If you weren’t half-deafened by the screaming cybersecurity companies, what do you think you would do to mediate this set of risks? 

Just like defending against cardiovascular disease, your physician would suggest that you begin with a detailed physical examination and get set up on a regular exercise program and proper diet based on that examination.  

Continuing the analogy to a physical examination, you must first inventory your OT assets. This means you need to identify every computer, network appliance, PLC, industrial controller, software-driven display, and so forth that you find on your OT network. You also have to determine the age, physical revision number, firmware, and software revision numbers of all of those OT devices, just like a physician needs to determine if your heart, lungs, liver, and all your other organs are operating normally. 

Moving from the physical examination to the real world is quite difficult. You won’t arrive at a useful OT asset inventory without contextual metadata. Just having IP addresses, the serial number, firmware version, and device type is not enough. 

But how many 192.168.0.5 devices are there in your network? You don’t know, and using conventional “sniffer programs” won’t be able to tell you. 

This is the second article in a four-part series. The next article will be published on April 20, 2025.