It’s been 24 years since the 9/11 attacks, and the beginning of serious OT security concerns. It’s been 15 years since Stuxnet was discovered. The results are an odd dichotomy.
We Won – The Impact Of OT Cyber Incidents Has Been Minimal
Experts have predicting disaster for over 20 years. The cyber Pearl Harbor was coming. Large scale and long lasting blackouts were looming. Critical infrastructure, transportation, manufacturing and other sectors would suffer costly and society impacting outages or worse.
It hasn’t happened.
The analysis and predictions, including my more conservative predictions, were wrong. Massively wrong. Year after year they have been wrong on the impact of OT cyber incidents. And the trend line of the predictions continue despite this woeful record.
There have been some OT cyber incidents. Some companies have had suffered losses. It’s not zero. It is a tiny fraction of what’s been predicted. It’s one of the smallest categories of all cause losses. Even the long shot cause of a pandemic impact dwarfed OT cyber incidents as a cause of lost OT production.
Should the OT security industry take and celebrate the win?
Yes, to some degree. The OT / IT segmentation achieved over this time has significantly blunted attacks that would have leaked to OT and taken out most Windows cyber assets. Malware affecting OT is down due to removable media awareness and policies and endpoint detection.
We should also acknowledge and celebrate that engineers built in a lot of redundancy and resiliency, as well as safety and protection measures.
We Lost – OT Security Posture Is Far Behind What Was Expected
In 2005 the common refrain was: it will take decades to correct the insecure by design issues with OT protocols, devices, and applications. It’s been two decades, and it still hasn’t been solved.
Few experts twenty years ago would have predicted the minimal progress in implementing source and data authentication in OT systems. Most systems will accept and process any properly formatted control commands and administrative actions including configuration and logic changes. Regardless of where they came from. Access still typically equals fulll control to do whatever the engineering and system allows.
We play around with asset inventory, vulnerability management, detection, micro segmentation, and other security controls but avoid the key issue of lack of authentication. And even the deployments of those listed security controls is still with early adopters.
The experts did say it would take decades to secure OT. Maybe they meant 3, 4, or 5 decades.
It’s quite the mystery. We’ve failed to improve the security posture much less than expected, and at the same time we succeeded in minimizing the impact of OT cyber incidents.