It’s summer, and I’m on vacation. So here is a light, breezy article to not take too seriously. Below is my non-scientific, highly US influenced, filter bubble warning, rankings of the ICS buzzwords rated by popularity and impact.
- Ransomware … Number 1 is an easy decision given the headlines and its indirect cause of production outages and delays in OT, although the high profile incidents have not had ransomware on OT. I hope awareness of and action on the dependence of production on IT cyber assets is an outgrowth of this buzzword, and obviously a hard look at recovery of production capabilities.
- Regulation … This would have been low in the top 10 prior to ransomware, but the Colonial Pipeline incident rocketed this up to #2. In the US this can be both new legislation and executive action based on existing authorities. I’m not optimistic (hope I’m wrong) it will have much impact on OT cyber risk, but it will introduce more regulatory risk.
- Visibility … Is it the chicken or the egg? Either way the large VC investments in OT visibility and detection products has led to a large and effective marketing push to move visibility up to the top of the list in government, media and executives’ minds. Higher, and earlier, then I believe is warranted from a risk reduction standpoint, but give the messengers credit.
- SBOM / Supply Chain … some would say this is part of visibility, but the efforts, solutions and vendors are different for OT SBOM and OT visibility. It’s the very early days of OT SBOM, similar to where Claroty/Dragos/Nozomi were in 2017.
These two are related as digitization is a driving force in what people are calling IT/OT convergence, and is actually IT/OT integration. I’m hearing more about the benefits and inevitability of digitization than I am about IT/OT, IT v. OT, convergence, etc. Although it could be that I’ve just tuned that out.
- OT Security Market Size … two $100M VC rounds for OT security companies with post money valuations close to $1B means that the investors believe there will be multiple, multi-billion dollar companies in the space. Two years ago I would have bet an OT security company IPO wouldn’t happen. Now I’d bet the other side.
- OT Use of Cloud / Edge … related to digitization and convergence, but listed here as a separate buzzword. We still see minimum security efforts or discussion around securing anything that is closed loop cloud services, even while it is creeping into many sectors and asset owner ICS subsystems.
- Consequence Reduction … if I could pick one buzzword to move up the list it would be this. The CCE book came out and got some buzz, but it’s faded. Colonial Pipeline was tailor made to launch a consequence reduction movement, but instead is resulting in recommendations and requirements that will reduce, but far from eliminate, the likelihood of it happening again. Perhaps it is human nature that we want bad things to stop rather than admitting they will happen and being ready to go on when they do.
- 2-Factor Authentication for Remote Access … Not because it’s a must have, second thing after a firewall, security control, and has been for years. It’s because we have US Senators, asset owner executives and others with little cyber security background using these words and saying it is necessary.
Remember this is my view of buzz, not my view of the top ten issues the ICS security community should focus on. What did I miss? What did I get wrong? Now back to the lake.