I recently spent time with a very wise and well-experienced ICS security expert who is working to establish an enterprise wide OT security program across their fleet of facilities.
During our time together, he shared the notion that guides his decisions towards better security, "Security is not theatre." This means two things, and is really an observation about two related, but different behaviors.
Cyber Security Challenge #1: Taking action without addressing the true problem
The first is that many people are providing, buying, and installing security tools or technology simply for the 'gold star' or 'big green checkmark' on an annual report. This is often driven by well-intentioned experts who find big, gaping holes in OT security. They report the gaps to their board, and it translates into treating symptoms, but not addressing the cause.
In other cases, it prioritizes traditional IT risks and expects them to be remediated immediately in the OT realm. Attempting to provide relatively mature security practices in a world where a reasonably accurate inventory does not even exist is a recipe for chaos.
Cyber Security Challenge #2: Taking shortcuts but missing the bigger picture
The second observation is more troubling, because at least in the first example *someone* is doing *something*. The second form of theatre is the tendency to try to take the easy path.
Those who choose to start with some form of insight or improvement without truly addressing the underlying needs. I see organizations buy into marketing hype and putting good money into advanced security tools (like network anomaly detection) before they even have an inventory.
The argument is that the passive tool can give you the inventory. If we're being honest, that is not the type of inventory we really need to prioritize and plan a robust security program. What happens when the detection finds a vulnerability? Do you have the tools to correct, protect, and recover?
NIST Cyber Security Framework and Your Top Initiatives
The following security disciplines are mapped against the give NIST CSF categories. You start at the beginning with the important, but not as easy tasks, (like inventory) and then you layer on advanced monitoring and detection or profiling algorithms.
You could argue my point and the table above is merely opinion and a biased one at that. You could also argue basic inventory is better than no inventory. But that right there is my primary point. It does you no good to take something so important and cover it with a band-aid. You will regret this treatment in the long run.
To truly make a change in OT security, all of the components are needed. But first, we must prepare ourselves to dig deep, tackle the whole problem, and build useful, sustainable, valuable components of a multi-tiered program.
Complying with board or regulatory-driven checklists won't get us where we need to be. And we cannot expect to build a useful, effective program if we don't understand what is truly needed (inventory, more staff, priority, a road map to a target desired end state).
Security is not theatre. Those that grasp this concept are building realistic, sustainable, scalable cyber security solutions that truly protect.