The ICS security community often has instances were very talented, hardworking people spend days arguing about high level terminology. Passionate, well thought out, and well written or spoken content on why one term is better than another. This happens on a variety of lists and industry efforts.
- What is the right term? ICS or IACS or OT or IIoT?
- Are ICS and OT synonyms? Is one a subset of the other?
- CIA (or AIC) or SRA?
I have my own opinions on various high level terminology. For example, I hate the term cyber hygiene. It’s misleading putting all good practice security controls under the term cyber hygiene. When it first came out I wrote articles and even did a podcast episode in May 2018 on why we should not use this term as a substitute for good practice.
Despite my abhorrence, the term cyber hygiene caught on and is widely used. Who could be against hygiene? I’m not going to stop its widespread use or get people to move to a term I prefer, any more than we will get people to stop using cyber.
Once cyber hygiene was widely accepted and used, I started using it as well. It’s an aid for communication. Now I’m making the contrarian point that focusing efforts on cyber hygiene, as it is generally understood and used, is a mistake in the OT world. It’s the wrong way to apply resources to reduce and management risk.
Of course, everyone is free to argue against any terminology. At a certain point it is fruitless, a waste of time. When we have so many challenges and areas that need progress, it seems like a poor use of a lot of talents’ time. Better to use that term you dislike but is widely understood to communicate with the people you are trying to help.