Love this comment from Bryan Owen on one of my posts.
Discovering ICS vulns is so yesterday, discovering implants is the new, new thing. In observation, there needs to be more emphasis and coverage on discovered implants… otherwise sponsors of defensive programs are justified in funding other priorities.
I hope this is true, particularly deemphasizing OT vulns. Loyal readers of my ICS Security: Friday News and Notes might notice there are rarely any items on OT vulnerabilities. Back at S4 in 2012 we had so many sessions on vulnerabilities in OT that attendees got the point that if you gave OT code a hard shake you’d find vulnerabilities.
Code quality has improved in many vendors since 2012, and it’s still easy to find OT cyber assets that didn’t follow 101-level secure coding practices … or consciously ignored security because the product was never envisioned to be subject to attack. While S4 attendees still crave offensive sessions, they aren’t interested in seeing insecure by design or pathetic code get exploited.
From a risk perspective, most OT vulnerabilities are not noteworthy. The cyber asset is either insecure by design or if the attacker has reached the point to run the exploit they don’t need the exploit. There are many better things to reduce OT cyber risk than run around patching 80%+ of the OT cyber assets.
The vulnerabilities that need to be addressed Now of Now/Next/Never are the ones exploitable from outside the OT zone, from the corporate network. Firewalls, remote access servers, servers in the DMZ, … If you have a lot of OT that needs patching Now, then you need to rethink your segmentation. These vulnerabilities aren’t typically OT vulnerabilities. It’s not a place where “OT is different”.
Why the continued attention on OT vulnerabilities? Think about who is finding them. In the early days it was researchers. Today it is primarily OT security vendors.
This doesn’t make them evil or even wrong. They are playing the system. For the past 10 years the best way to get media attention and free content is to find vulnerabilities in OT systems, give it a clever name, run Shodan to get some numbers, write a white paper, submit to speak at some conferences, and set marketing loose.
(BTW, the second best way is to do an annual survey / activity report and put out some numbers that make the situation look dire.)
The system still works this way, but is the fascination and attention fading? It’s hard for me to judge since I interact primarily with pioneers and early adopters in OT security. I believes these advanced OT security pros are past this. They shrug off most of these OT vulnerabilities.
At this point the OT security vulnerabilities must still be getting some attention or the media would stop reporting them. As much as I like Bryan’s comment, it’s probably aspirational rather than reality.