IT Security May Be Harder To Change

My article two weeks ago, Isaac Newton, Inertia and OT Security, discussed that OT Security / Operations inertia and IT security inertia was preventing progress in securing ICS, and how COVID-19 could be an unbalanced force to the speed and motion of Operations. The comments on the article delivered personally and via social media served as an exclamation point to the article.

With few exceptions, those from the Operations side said IT didn’t understand ICS and are not part of the solution. The smaller number commenting from the IT security side said Operations hadn’t done much to solve the problem and didn’t understand cybersecurity, so they need to step in. Very rare was the look in the mirror and realization that we (whatever side you are on) have not succeeded, not made substantial progress, and we need to alter our approach and bring in help from the other side. Instead, it was another exercise of the reflex to go to the OT v. IT argument.

Operations has been consistent for decades, saying basically if you don’t come from Operations you should stay out. Some stating in a very straightforward manner that engineers need to be the lead in securing ICS. (to which I often wonder who or what has stopped engineers or more broadly Operations from doing this? Even if you accept, which I don’t, the ‘it will take decades’ argument, it has been two decades.)

Still I’m more optimistic about change occurring in Operations, as compared to the IT Security. Optimistic even though Operations has shown to have much more mass and inertia, like the pictured mining hauler compared to the pickup truck. The reason? Huge unbalanced forces that I mentioned briefly in the last article. The biggest new force is CISO’s are being held responsible for OT Security, as Dave Weinstein explains in the short video clip below.

The CISO having responsibility will not solve all OT Security problems. It will, however, bring change. If the CISO’s neck is on the line, they will not accept the stiff arm Operations has used to stop change. The contention that ICS can’t be secured, can’t be changed, and progress will take decades is not an answer the CISO will take to the CEO and Board when their career is on the line.

The bigger concern, in my opinion, is IT Security inertia. They have developed a set of good security practices and corresponding metrics for successful implementation of those practices. These practices are typically being applied to OT Security by the CISO or on recommendation from the consultants the C-levels and Boards are hiring to get this ICS cyber risk thing under control.

Where is the unbalanced force that will cause the CISO, now in charge of OT Security, to change familiar security controls and metrics to those that would result in effective risk mitigation and management in OT? Operations, by often denying the risk and then not addressing the risk for a long time, has lost a lot of credibility to push back. So even if Operations makes the case that a set of security controls, such as emphasis on widespread OT security patching, is ineffective in OT, it likely will be viewed as another instance of Operations intransigence against any change to their way of life.

So how do we break this IT Security inertia?

I’m open to suggestions. My best answer today is the large asset owners who are doing OT Security best need to step forward, explain what they do and why, and how they are measuring success. There are companies, especially in oil, gas, and chemical but also in other sectors, who have been working hard on OT security for over a decade. They have made a lot of mistakes, had a lot of failed efforts, including trying to use IT Security controls and metrics. They now have a better set of risk based security controls and metrics, as well as a strategy and tactics to improve over the 1-3 years.

Companies are reluctant to discuss their OT Security efforts in an effort to keep their heads down, not be a target. There is a risk though that if the leaders who have identified and implemented a risk-based approach to securing ICS remain quiet, an IT Security set of controls could become the measurement that insurance companies, credit rating companies, regulators, and the large consultant’s Boards listen to use.