Here’s the text version of my S4x25 keynote delivered on Feb 12th. Of course you don’t get the seesaw that you have in the video.
What are you worth? Not as a person. As an OT security professional. What’s your value? How much more is your value than a studious entry level person, or AI? I believe your value will be largely based on your ability to make and communicate decisions on where to spend OT security risk reduction resources. And where not to spend resources.
I began working in OT 25 years ago and performed many OT security risk assessments. Notice I called them risk assessments. While they identified vulnerabilities, each vulnerability was rated in one of three risk categories. We called them Exposures, Concerns and Observations. Others do the same with different category names.
The assessment deliverable was typically a long report with 30 to 100 Exposures and Concerns. We had this large number even if we called “apply missing patches” one finding.
Clients were overwhelmed with the report. They were frustrated. We can’t do all that. Some clients just stuck the report in a drawer. We’d come back the next year for their annual assessment and see almost no change. Then I was frustrated. Sure, they paid good money, but what a waste of time. And a feeling of failure, I hadn’t help them.
In 2007 one client finally said it. Your report doesn’t help me. I need you to tell me what do to first, second, third, and it’s got to be achievable. As a consultant with professional liability, I couldn’t leave out risks in the report. I could provide a list of recommended actions prioritized by efficient risk reduction. Where would they get the most OT cyber risk reduction for the next hour or dollar spent? What should they do first, second. third. In all future reports, we included a top 5 list of prioritized actions for the first 6 months, and another 5 for the next year.
After we started providing these Top 5 prioritized lists, we saw dramatic risk reduction in our clients. They weren’t overwhelmed. They applied their limited resources to a small number of achievable tasks that maximized risk reduction. They succeeded and could demonstrate this success to management. And maybe more importantly they decided what much larger number of good security practices were not done. At least not in the first 18 months.
We need you, the true OT security professional, to set this prioritization. To make these decisions. Tailored to each asset owner and perhaps each site. Or we can continue to fail as a community in most things except for volume of guidance documents.
Prioritization and selection of what to do and what not to do is needed more than ever in 2025.
- In the United States, CISA has a list of 38 “practices with high-impact security actions that outline the highest-priority baseline that measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats.” 38 that are highest priority!
- The IEC 62443 standard has 51 Foundational System Security Requirements.
The lists keep growing. Why? You’re more likely to be blamed for leaving something off your cyber hygiene list than you are for having too many items on the list. Have you felt the fear as a security professional? If I don’t say every security control is required, I’ll be blamed for a cyber incident.
These lists of security controls aren’t wrong. Very few are bad practices. You can argue in a perfect world they all make sense. But …
You can’t do it all. It’s too much. I say you shouldn’t do it all. Why spend money on a “good security practice” if it’s not appreciably reducing likelihood or consequence?
Even if your favorite company or industry group has narrowed it down to a top 5 or top 10 list, it’s at best a data point to consider and not something you, the OT security professional, should follow blindly.
There are commonalities in the vulnerabilities and issues we see. Even when I encountered asset owners with almost identical vulnerabilities, I find the top 5 recommended actions usually differ in each assessment. You need to use your judgment, not a top 5 critical controls list. This is where your talent comes in. Where your value is.
I don’t do much consulting anymore, S4 keeps me too busy. I did do an assessment last year. It was fun getting out there in the field, getting dirty, learning about a new facility and their business. Not surprisingly, their OT was largely unpatched. What may surprise you was applying patches was not in the top 5 recommended action list.
I don’t think I would have left it off the top 5 list ten years ago. What’s changed? Two things. One, I uncovered and considered a lot more choices for OT Cyber Risk Reduction.
I started writing this keynote thinking it would be about barbell theory. The idea that you can achieve success at a lower risk by addressing the two extremes on the spectrum, rather than focusing on the middle or a normal distribution. Nassim Taleb talks about this in finance with a barbell strategy in investments. His portfolio consists of high risk, high reward investments and near zero risk investments. Barbell theory applies to many disciplines outside of finance, including OT cyber risk management.
I thought about bringing out a barbell as a prop on stage. If you’ve ever lifted weights, you know how only a slight imbalance can cause an embarrassing accident. I brought this seesaw, this teeter totter instead.
We can reduce OT cyber risk by reducing the likelihood of a cyber incident or the consequence of a cyber incident that gets by all our security.
What’s been happening since the dawn of OT cyber risk awareness? We’ve been investing mostly, and in some cases exclusively, in OT security controls to reduce likelihood. We are unbalanced.
35 of those 38 CISA highest priority practices are to reduce likelihood. 48 of the 51 Foundational System Security Requirements in IEC 62443 are to reduce likelihood.
We keep putting more and more effort, whether it’s effective or not, on reducing likelihood. while expending little effort on consequence reduction.
The main reason security patching didn’t make the top five recommended actions in the assessment is we identified a large number of consequence reduction actions. It ended up that 3 of the top 5 actions prioritized by efficient risk reduction were consequence reduction actions. It really wasn’t even a hard decision to put those 3 in the top 5 once identified and analyzed. The risk reduction was so high for so little cost and effort.
I spent more time in this assessment than I would have ten years ago interviewing engineers; looking for ways to prevent a successful cyber attack that has complete control of OT from being able to cause a high consequence event.
I have a lot of people in this room and S4 sessions on cyber / physical and consequence to thank for this knowledge. It makes me more valuable than I was 10 years ago. More valuable than a top 5 list, or top 38 list, or top 51 list.
It would have been easier to follow those recognized lists. To tell the asset owner you’re not doing all the recommended cyber hygiene. They would have floundered with this advice. Your value is helping them make risk-based choices, and not limiting the options to choose from to security controls to reduce likelihood. Get balanced.
Remember I said there are two reasons why security patching isn’t in the top five list of the assessment. Reason 1 is we have a number of consequence reductions actions to consider.
The second reason, I’m using my knowledge and experience to evaluate and prioritize the potential risk reduction actions. Now I did that before, and I have to admit that I was held back by conventional wisdom. Easy answers. Things that you could put in the report and know most people would shake their heads yes, agree, sign off on.
It takes a bit more work to deviate from conventional wisdom, from those checklists, from what ChatGPT would tell you to do. You have to show the risk reduction achieved and cost of the various options. And explain to executives why they should make these choices.
What I did, and I’m encouraging you to do, is use your skills and your judgment to create your prioritized list of actions. Don’t fall back on: here’s the good security practice, the cyber hygiene that I’m recommending to cover my ass. Even though I know you won’t fund all of this. Even though I know if you gave me a huge budget I couldn’t do it all in the next 3 years.
You do need to know good OT security practice thoroughly, completely. Most of you at S4 probably give presentations at other conferences and in your company on OT cyber hygiene. It’s the baseline information to be an OT security pro. You need to know the rules before you can break the rules.
Learn the rules like a pro, so you can break them like an artist. – Pablo Picasso
I like Picasso’s quote even better. Maybe we need to see the job title of OT Security Artist.
Your value is you know when and how to break the rules. Alter the recipe. This is more important as the list of security good practices grows and becomes more and more impractical for most asset owners. Important, if you want to reduce OT cyber risk. Important to your value as an OT Security Professional. Your compensation, your desirability for future employers and customers.
You should prepare for the reality that parroting some guideline document and assessing whether a company is meeting a checklist isn’t going to be worth much as a job. This is an easy skill to train up and hire. And the novelty of OT is ending, whether you think this is right or not. I wouldn’t even call someone who can repeat and audit a guideline document an OT security professional, perhaps an apprentice.
All of you received a copy of my new book A Year In OT Security in your swag bag. You might think this is my checklist. It’s not. It’s a book of questions and tasks. I don’t know what’s right for your OT, but these are some of the areas and questions you should consider. These are the decisions you need to make. Two highly skilled OT security professionals here at S4 could take this book back to their water facilities, complete all the weekly tasks, and have very different OT security projects and programs.
Maybe you don’t want to do that hard work and analysis. Maybe you prefer to have someone tell you what to do, even if there isn’t enough time to do it all. Even it won’t really make a difference. This book isn’t for you. In a sense, S4 might not be for you. Don’t worry. You will still learn a lot, meet great people, and have fun. And maybe we can turn you into someone who has a passion to Create The Future.
I frequently talk with someone who’s been put in charge of their company’s OT security. Let’s say it’s Steve who works for a manufacturing company with 60 plants. Steve reaches out to me for advice in selecting their OT asset inventory and detection solution, because I’ve covered this market since it began in 2016.
I likely won’t take the consulting gig, but I can point Steve in the right direction. First I need to understand, at a high level, Steve’s OT environment and current security program. Steve’s company is just starting with OT security. They have almost no OT security controls. OT and IT aren’t segmented. They’re on the same network. Even the PLCs are sitting on the corporate network.
Steve decided acquiring an OT asset inventory product is the first step to take, following the popular guidance, the marketing dollars, the mantra you can’t protect what you don’t know. Is this the right thing for Steve’s company to do?
Let’s go back to the seesaw again and use it to visualize leverage and efficient risk reduction. In this case risk is on one side of the seesaw, and we’ll place actions to reduce risk on the other side.
Did you ever climb on a seesaw with someone who weighs more than you? If you both sit on the ends it’s not a lot of fun. You’re stuck in the air, and your friend remains on the ground. But if the heavier friend moves far enough to the center, the fulcrum, the opposite will happen. The heavier friend will be stuck in the air, and you’ll be on the ground. It’s leverage you can move a heavier load with a smaller weight, or force, the farther that force is away from the fulcrum.
We can think of efficient risk reduction as maximizing leverage. The greater the risk reduction achieved, the farther away from the centerpoint the security control or consequence reduction action is placed. The more leverage it will have to reduce risk.
Where we put the action on this seesaw is one of two factors. The other is the weight of the box representing the action. Think of the weight as an inverse relationship to the amount of time and money required to implement and maintain the action. The more time and money required, the smaller and lighter the box.
If we had a security control that cost $1 dollar and achieved massive risk reduction, it would be a huge box placed at the end. Lots of weight with maximum leverage. If we had a security control that cost $100M and resulted in almost no risk reduction it would be a tiny box placed near the center. Little weight and minimal leverage.
Let’s put it all together now. Steve is planning on creating, and hopefully maintaining, an asset inventory. A large project in time and money for his 60 plants, a small box. How much does this asset inventory reduce the likelihood of a successful OT cyber attack? I’d argue near zero likelihood reduction. It would be almost right on the center, no leverage, no risk reduction. If we take advantage of the OT detection capabilities in the asset inventory products, it will reduce likelihood and perhaps consequence. It will also cost more time and money. The box, the force on risk reduction per unit of resource would be smaller. I would put it here. Not a lot of risk reduction for the effort.
OT / IT segmentation, getting OT off the corporate network, would have the biggest impact on likelihood reduction, if it’s done right. It would be all the way out on the end of seesaw, where it’s getting the maximum leverage. The box is small, because deploying OT/IT segmentation across 60 sites is a sizeable project.
Is OT/IT segmentation the best and first thing Steve should do? In my first decade in OT security I would have said yes. It’s always first since it reduces likelihood the most. Not so fast.
What about removing OT from the Internet? This is an easier task a larger box, more force. And it is near the end with maximum leverage and the more weight. It would move risk more per unit of time and money. It’s higher on the efficient risk reduction list.
Let’s place the other three boxes. Secure remote access is also high risk reduction, maybe slightly less than these two.
Changing default passwords you might think would be maximum leverage, maximum likelihood reduction. This shows the need for and value of your judgment. Changing default passwords in PLCs or level 1 typically has minimal risk reduction. Changing default passwords in cyber assets accessible from outside OT has significant risk reduction.
Finally, let’s put replacing the PLCs with secure versions near high risk reduction end, but it’s a huge expenditure of time and money, a small box, and scores low on efficient risk reduction.
Of course you don’t need a seesaw in your office to take an efficient risk reduction approach. Make a list of the risk reduction activities and rate each of them on the resources required and the risk reduction achieved. Then prioritize these potential activities.
The cost data (the size and weight of the box) is a straightforward budgeting exercise. The risk reduction achieved, the placement of the box, is less straightforward, especially on the likelihood reduction side of the risk equation.
Do you agree with my placement and size of the boxes? No. Great. I’m not looking for you to agree with my prioritization, and quite frankly it changes a lot based on your system, process, and business.
You have a decision to make. Do you join the chorus of trying to mandate an increasing long list of security controls and stoke the hysteria of potential consequences. This is the safe path. If anything happens and everything wasn’t funded and completed you can say I warned you. It’s not my fault. This path is easier, safer, and far more crowded. It’s also not that valuable. Thanks. You gave a long list of things I should do and tried to scare me into doing them. You’re not helping.
Or do you use your experience, knowledge and wisdom to identify, evaluate, and prioritize the OT security good practice controls and consequence reduction actions. And to pitch the risk in realistic terms to management. In a way that makes the decision easy. These are the OT security professionals who will be in demand and worth a lot more.
Let me close with this … it’s not about agreeing with me. It’s not about agreeing with Ralph Langner, Rob Lee, Joel Langill, Jen Easterly or any of the other people who have strong and loud points of view. What we need from the early adopters and leaders, the people like you that come to S4. We need you to be brave, flexible, and to do the hard work to decide what is the best OT cyber risk management approach for the system you’re working on.
It will require you selecting and prioritizing actions, and more difficult, deciding what cyber hygiene not to do, at least not at this time. You need do to this to be a top professional in this field, to best benefit your company and your career.
Be brave, make your own choices, and enjoy S4.