If you take one thing from this book, my hope is it leads you to focus on OT cyber risk management rather than slavishly trying to implement and maintain a long list of good practice OT security controls (cyber hygiene).
SANS and many others, including me, have put out lists of the most important security controls. These lists reflect the experience and bias of the writers. For example, the SANS Five Critical Controls have a detection bias. My list probably has a consequence reduction bias.
You’ve been thinking about OT cyber risk for at least a year now. It’s time for you to create a list of your top 5 OT cyber security, or cyber risk management, controls. My suggestion is you do this based on efficient risk reduction, but it’s your list.
Imagine someone new to OT security and cyber risk management walks up to and asks: what should I do to secure my OT? What would be the top five things you would tell them to do? List them in priority order. Do #1 first, then #2, … Put your name on the list below.
____________________ Top 5 OT Security Controls
1.
2.
3.
4.
5.