False
One of the most common OT Security mantras this decade is “You Can’t Protect What You Don’t Know”. Those who say this are almost always saying you can’t protect your OT environment without a detailed and accurate OT cyber asset inventory.
This is provably wrong. Consider the contents in a safe deposit box in a bank or anything locked away in a drawer in an office. You may not know what’s in that drawer, and yet its contents are protected by the physical security of the building, office, and drawer. There can be guards and guns monitoring the entrances and roaming the halls protecting some unknown and unspecified valuables. You can have cameras and motion detectors identifying threats and triggering a response.
We see the equivalent in the cyber world. You can have a firewall providing protection at the OT security perimeter without knowing what’s behind it. Two-factor authentication for remote access to the OT environment is protecting unknown cyber assets. Even the OT detection products that create asset inventories and often say “You Can’t Protect What You Don’t Know” are in fact detecting attacks even if there is no asset inventory.
What might be fair to say is “You Can Provide Better Protection If You Know What You’re Protecting”.
How much better? and at what cost? Is an asset inventory that is 80% accurate better? How much better than an asset inventory that is 98% accurate? What detail needs to be in that asset inventory to “know”? How much does it cost to create and maintain these asset inventories? How much improvement in our key mission metrics will be achieved and at what cost? We’re not even trying to answer these questions. I’d encourage you to start.
True
The weekly task the last two months from my A Year In OT Security book have me rethinking this tenet and the meaning of the word “know”. What if know doesn’t mean an OT asset inventory and instead means:
- Knowing what success means for your company. Knowing your company’s key mission metrics.
- Knowing your company’s risk management process and what is considered an unacceptable risk in the various consequence categories (financial, safety, customer impact, reputation, etc.).
- Knowing the hourly or daily cost of an OT outage that prevents the quality delivery of your product or service.
- Knowing the “really bad things” that could happen in Operations.
- Knowing your safety and protection systems deployed to prevent the “really bad things”.
- Knowing the OT cyber incidents that could cause the safety and protection systems to fail and cause a “really bad thing”.
I’m more inclined to agree with “you can’t protect what you don’t know” if know means understanding the company’s key mission metrics, risk management, high consequence events, and how Operations is preventing high consequence events.
Even with this definition of know you can provide protection without knowing. In most cases it will be highly inefficient, little protection for the time and money spent. The same will be true if you have an OT asset inventory and haven’t understood your company.
There’s a reason the first three months of tasks in A Year In OT Security focus on understanding the business and Operations rather than deploying good practice security controls or creating an asset inventory.
Every Monday I post the weekly task from the book A Year In OT Security on LinkedIn. You can see all past weeks’ tasks at my site dale-peterson.com. The Kindle version of A Year In OT Security is now available on Amazon. It’s free if you have Kindle Unlimited and $5 if you don’t.