Seth Godin manages to put a lot of wisdom in his short daily blogs. This one hit me last week (key excerpt below).
Generally, the advice isn’t really the hard part. There’s endless good advice just a click away. … We might not need better advice. We might simply need to do the work of being able to work with the good advice we already have.
Jen Easterly and the team at CISA has put out a lot of (mostly) good, 101-level advice the last four years. As have the Department of Energy, foreign government agencies, industry groups, standards organizations, and even consultants / pundits. Most of it isn’t new or noteworthy. It’s conventional wisdom and good practice that has been documented for years or even decades.
The latest Secure By Design and Secure By Deployment program documents are great examples. They aren’t wrong, and they aren’t new. The companies that signed the pledge didn’t think, “now CISA has told us how to do to Secure By Design and we can start do this”. Their teams are filled with smart people who knew all that was published and more.
One of the creators and authors of Microsoft’s Security Development Lifecycle (SDL), Steve Lipner, gave the keynote at S4 in 2008. You could call this an early version of Secure By Design. The advice captured in that book was important. More important was the fact that Microsoft took action to implement the SDL and dramatically improved the security of their products.
After S4x08 I know of a few ICS vendors who embraced the SDL, took action, and improved their products’ security. Even with the knowledge, it wasn’t a straightforward path. But they wouldn’t have experienced and learned from the mistakes if they didn’t take action.
OT security professionals and the companies they work for don’t need more high-level advice. The lack of 101-level advice on what to do isn’t slowing people down. There is too much advice. It exceeds what any asset owner, vendor, or regulator can take in and do.
The challenges for OT security professionals, where we need their experience and talent, are to determine:
- what advice to take
- what to prioritize with their limited time and money
- to actually take action
- and to measure the results
Sign up to receive my free newsletter: Dale’s ICS Security: Friday News & Notes.