Summary: Andrew Ginter makes a plainspoken case for his view of what Secure Operations Technology (SEC-OT) means. The key point that diverges from the mainstream of ICS security thought is:
Forbid firewalls as connection from ICS to IT networks – permit only unidirectional gateways. SEC-OT practice: one layer of unidirectional gateways in a defense-in-depth architecture.
Why To Read This Book
There are two reasons to read this book: First: Chapters 1 – 4 and portions of other chapters give some very direct and easy to understand advice on ICS security. Much better than most of the ICS guideline documents. This is a credit to Andrew’s writing style, and the fact he didn’t need to convince a committee of people to agree on the language. If you need to learn about ICS security, and can set aside the strict unidirectional doctrine, this is a book worth reading. You can excerpt sections to share with others if you are having trouble explaining some basic ICS security principles.
Second, the unidirectional gateway reference architectures in Chapter 6 represent the definitive collection of this type of information. Better than anything Waterfall, Owl or any of the other one-way vendors have put out. It will show you how and where you can use this technology, and it even showed me a few more places to consider deploying one-way.
What I Didn’t Like / Agree With
While I’m a huge fan of one-way devices for specific ICS security applications (such as data export to the cloud and sending data from a safety system to a control system), I disagree with Andrew’s primary tenet of SEC-OT. There are only a small subset of sectors or companies that will accept the limitation on communication today, and this will decrease in the future. Connectivity and bi-directional communication is growing due to the huge benefits this communication can provide. Yes, it does introduce risk, but just saying no to communications that provide a large positive business impact is not the answer today, and the trend is very much against this approach Andrew calls SEC-OT.
The anecdotal approach to assessing risk in Chapters 10 and 11 has some merit, but I would use a modified version of this and only as an adjunct to a risk assessment process. Andrew’s approach is to identify 20 ICS Cyber Attacks and then see if the security controls suggested would prevent the attack 100% of the time. The 100% of the time obviously helps the one-way case and precludes other security controls scoring well and being considered. The 20 ICS Cyber Attacks are an obviously arbitrary and incomplete set of attacks and requires assumptions to do the analysis. That said, you can use this some or all of this list so Chapter 11 it does serve as a good reference.
See Andrew’s S4x19 video that includes my interview with Andrew.