Let's compare and contrast different approaches to the development of an OT cyber security program. While there is a variety of approaches to developing security, our focus here will be on those who plan and those who act.
Planning the Development of a Cyber Security Program
Planners first start with designing or establishing what they want to achieve. We call this "knowing what 'done' looks like". Typically, these are organizations realize security is a program, like safety, or maintenance, that requires insight, planning, and multiple projects over time to achieve a desired state. But most importantly, it requires patience. This seems to be one of the biggest challenges for many organizations who splurge.
Taking Action in the Development of a Cyber Security Program
Action is good, it means progress, but it can also bring on challenges. This type of action is different than an IT rollout This is the type of action that sees someone spending money and time on a technology or toolset that is ill defined for their needs. It is equivalent to an impulse buy.
People purchase tools that don’t suit their ultimate needs. The most obvious example is buying a passive packet capture tool without having any clarity on your asset inventory. The passive tool can get you an inventory right? A robust profile of your assets is much more valuable and more insightful than passive listening tools.
But even if you don’t care about the nuances between asset profiling and asset inventory from a passive tool, you surely must see the short-sightedness of buying a very technical tool set for what amounts to a byproduct of their intended design?
Passive tool and machine learning can be powerful in the hands of a mature security team who knows what they are looking at, has host of other tools and procedures to be well-established, and has the budget to support and maintain these expensive tools. Otherwise, the investment is wasted at the front end of your security program until you grow into it.
Passive detection tools are valuable at the right stage and maturity level of your security program. They are not, however, the first thing you should buy.
This problem stems from those who rush to take action. They are too impatient to understand the intricacies of a robust, full functioning security program and rush to make a purchase.
In most cases, the buyers try to short circuit the actual heavy lifting and slow patient process most security programs require. Let's be honest, patching is neither sexy nor easy to do.
The other reason action is typically expedited is when a senior influence such as a board gets involved. They may have seen a pen test report or risk ranking from an IT vendor who focuses on pure risk, thus the needs for immediate insight.
The pressure to turn on some form of monitoring/risk awareness is escalated. In our experience, a little bit of patience and support for building a more robust, repeatable and sustainable cyber security program results in better success and money well spent.