We have mantras in ICS security and OT that we say, and mostly believe, but we don’t act as if they are true. My favorite is OT is different than IT. Have you ever heard that before? Have you ever said it? When I hear someone say this what they usually mean is:

keep your IT security good practice crap out of my OT

If we really believe this mantra, if you really believe this mantra,

what are the new or different, OT security controls or cyber risk management techniques that you are proposing for this different OT world?

We have seen IT technology and practices and IT security controls modified for the OT world. This is primarily adding ICS protocol awareness to IT security tools. Detection tools are ICS protocol aware. Some firewalls / perimeter protection devices have added ICS protocol deep packet inspection. Splunk and ServiceNow have added ICS fields to their constructs. These are only tweaks, added intelligence to IT tools.

We also see many IT security good practices modified for use in OT.

Wracking my brain to think of an OT security solution that is not a modified IT solution, the closest I can come is the one-way, data diode device. While it is not unique to the OT world, it is where it gets the most traction.

One uniquely OT area that I believe shows great promise is process variable anomaly detection. A technique that can find all causes, not just security, where the process being monitored and controlled isn’t right, or reporting up right to the ICS. We are still in the early days of this, and a major challenge will be in making this practical and affordable for all, not just the most expensive and most standardized systems.

I’m sure there are more that I missed, but they don’t get much attention in the OT / ICS security community. We probably should either stop saying OT is different than IT and using it as an excuse for the much lesser security posture in OT, or come up with OT specific security controls.

What are new and different OT specific actions we can take to prevent a cyber or cyber/physical attack from causing an incident with a major financial, human safety, environmental, customer or societal impact?


This was the second technique, “the literal”, that I gave in my opening keynote at S4x22 on how to engage in No Limits thinking. The 10 minute video is below.