Jake Brodsky, Joel Langill and Dale Peterson on the S4x18 Main Stage

Nassim Taleb discusses the concept of Iatrogenics in his book Antifragile. It is commonly applied to medicine, but Taleb applies it to the financial market and proposes it could be applied to other areas. We had a panel at S4x18 that dug into the issue of how to determine when security controls are doing more harm than good.


I was joined on stage by Jake Brodsky and Joel Langill. Jake is famously conservative when it comes to applying security controls, and Joel is a big proponent of some security controls that Jake would pass on. And all three of us are highly opinionated, so it made for an interesting discussion.

Applying security patches was an area where there was broad agreement that there are many security patches where applying the patch does more harm than good. This was used as an example and led us to areas where there was disagreement on whether a security control did more harm than good. These included:

  • Active Directory for computer and user management
  • Active Directory or similar for future PLC and other Level 1 user and device management
  • Internal ICS Security Zones
  • Many Roles (beyond Operator, Engineer, Administrator)

The specifics of each example are discussed. While the answers varied between the three of us, there was agreement on criteria such as size of the ICS, complexity of the ICS, and stability/frequency of change of the ICS.

This episode was sponsored by CyberX. Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX has developed an end-to-end platform for continuous ICS threat monitoring and risk mitigation.

Check out the CyberX Global ICS and IIoT Risk Report and my podcast from last year on the report with Phil Neray.