I’m a big fan of cover songs. Not the covers that become more popular than the original. Rather the odd cover that it takes you 5 seconds to realize it’s a cover of a song you know and like. They’re not always good, rarely better, but often interesting.
A lot of what we do in OT security is essentially an interpretation, a small change to what is done in IT security. My team at Digital Bond has had a long list of firsts largely based on being a cover band. We looked at what was being done in IT security, and figured out how to tweak it so that it provides value in OT.
Typically the OT security cover isn’t that different from the IT security original. It might be different protocols, different precautions or actions to do no harm, different terminology, or different reporting or analysis. There is nothing wrong with creating or using an OT security cover. We should use what works.
The OT is different than IT mantra is so strong. If this mantra is true, and it’s not all T (ht: P Miller), why don’t we see more original OT security work? I hunt for it every year to put on the S4 stage. I see great adaptions and improvements, and I rarely see something that is not an IT security cover. Process variable anomaly detection is one OT security original that comes to mind. My guess is there is more. Maybe we aren’t creating these new ideas and innovations because there is so much unrealized potential from existing OT security covers.
If we are going to see some new and original OT solutions, I think it will be in OT cyber risk management rather than OT security. Particularly on the consequence side of the risk equation. This still is largely ignored. Although I wonder if what we will see is engineering and safety covers where we get some quick wins and others can add to their list of firsts.