First and foremost let me wish all of my friends, colleagues and all of the amazing people I meet when travelling in the USA on this Fourth of July celebration! Today is a day of importance, celebration and a demonstration of national pride for a great nation! And it is timely, indeed, that just this last week I got to spend some time with a very wise, well experienced ICS security expert who is working to establish an enterprise wide OT security program across their fleet of facilities.
The reason it is timely is that during our time together he shared with me the notion that guides his every decision and path towards better security - namely: Security is not theatre. This, to me, means 2 things or is really an observation about 2 related but different behaviours. The first is that many people are providing/buying/installing security tools or technology simply for the 'gold star' or 'big green checkmark' on an annual report. Driven often by well intentioned experts who find big, gaping holes in OT security who report to the board this often translates into treating symptoms and not addressing the cause. In other cases it prioritizes traditionally IT risks and expects them to be remediated immediately in the OT realm. Well I can tell you trying to provide relatively mature security practices in a world where a reasonably accurate inventory does not even exist is a recipe for chaos.
The second observation, however, is the one that is more troubling to me. Because at least in the first example *someone* is doing *something*. The second form of theatre is the tendency to try and take the easy path. Those who choose to start with some form of insight or improvement without truly addressing the underlying needs. I continue to see organizations buying into marketing hype and putting good money into advanced security tools (like network anomaly detection) before they even have an inventory. And I know - the argument is that the passive tool can give you the inventory right? Let's be honest. That is not the type of inventory we really need to prioritize and plan a robust security program. (p.s. - what happens when the detection tool tells you about a problem - do you have the tools to correct/protect/recover?) Take a look at the following security disciplines mapped against the 5 NIST CSF categories - note that you start at the beginning with the important but not so easy stuff (like inventory) and THEN you layer on advanced monitoring and detection/profiling algorithms.
I get it. You could argue my point (and the table) above is merely opinion and a biased one at that. And you could also argue that a basic inventory is better than no inventory. But that right there is my primary point. A half-assed pass at something that is important but, for many, seemingly difficult is really just putting lipstick on the pig! If we truly want to make a change in OT security we need all of the components above. But first we need to prepare ourselves to dig deep, tackle the whole problem, and prepare to build useful, sustainable, valuable components of a multi-tiered program. We can't continue to merely 'comply' with board or regulatory driven checklists and we certainly can not expect to build a useful, effective program if we don't first look long and hard at what we truly need (inventory, more staff, priority, a road map to a target desired end state). Security is not theatre. Those that get it are building realistic, sustainable, scalable solutions that truly protect.
Happy Fourth of July everyone!