I firmly believe that value engineering is the solution for our industry’s customers, but let’s first start with the problem.
The world’s mission critical infrastructure is facing increasing pressure from hackers, but only a tiny sliver of organizations, both commercial and public sector, are implementing cyber security in their industrial control systems / cyber physical systems. That’s where our OT cyber security industry is now.
For the past couple years we’ve been saying that the cure is worse than the disease. This hasn’t changed. We, as an industry, are asking customers to spend millions of dollars over many years to protect their OT. And, in the first year or two, we’re offering no actual protection. We’re delivering assessments, lists of vulnerabilities, and a roadmap. Worse still, this roadmap almost always requires days and days of planned downtime. In short, we’re asking them to turn off their operations so we can re-architect their networks and install our solutions. Â
Turning off their operations is a non-starter for OT
The downtime alone will often cost them more than the ransom if they get hacked. And, based on the roadmap, it’s far more certain. The planned downtimeis not a potential risk as a hack might be; it’s right there on the roadmap. The planned downtime could easily be 20x the cost of the ransom.
Don’t get me wrong, as a security engineer I know that a hack could very well create a debilitating lack of trust in your market, which could be even worse than the downtime or the ransom. But, in short, the math isn’t there for clients. We’re making it too expensive and too painful.Â
What our industry’s customers really want is protection. What they actually really want is uptime. This is why we need to deliver Value Engineering.Â
Instead of jumping in with tools, map out the process and see if you are willing to do the work to keep each step operationalized. If you are going to look at patching and vulnerability, are you willing to patch monthly? Can you even patch the devices; i.e. are they end of life? Do a sniff test, are you patching right now in OT? If not, then of course you are going to have vulnerabilities. It’s better to prioritize network segmentation and attack surface reduction and then move to patching. Lastly, if you are going to put in a visibility tool, will you have butts in chairs to be constantly monitoring? Is the network capable of responding to threats (do you need to put in segmentation first before you can respond)? Will the business tolerate patching?
We need to look at the crown jewels of their processes and help ensure these are segmented and encrypted. We should be planning that they will get hacked, and segmentation and attack surface reduction are the most effective tools we have to start with. We need to do this at the top of the roadmap. And, as mentioned, we need to do this without requiring any new downtime.Â
Conclusion
As an industry, we need to prioritize making progression against actual protection versus checking compliance boxes. Most things in a business are a finance question. A discussion between cost and risk. If we, as an industry, can work together to produce more value engineering-oriented strategies, OT security in general is going to end up elevating itself. We’ll earn the right to expect the market penetration that will not only create a larger pie for all of us, but, more importantly, we’ll be able to help more organizations implement the cyber security we know they need.