It really is quite simple to be an OT Visionary.
- Look at what is happening and working in IT / the enterprise
- Predict that this same technology and approach will be used in OT
- Be prepared to be called crazy and told it will never work in OT / ICS
- Five years later have it be an almost ubiquitous recommendation, and you will have been correct
I’ve alluded to the “it won’t work in ICS” phenomena in past articles, presentations and podcasts with prominent examples in every decade.
- 90’s – Windows and Ethernet would never work in ICS
- 00’s – Anti-virus breaks ICS. IDS would cause ICS to crash. Application whitelisting … The 00’s were peak it won’t work in ICS.
- 10’s – Virtualization will never work in ICS and would void your warranty. ICS protocols couldn’t be encrypted or secured.
- 20’s – Anything related to operations can’t and will never be moved to the cloud. DevOps doesn’t work in ICS.
My most personal example of “it won’t work in ICS” was in 2006. We had a small business innovation research (SBIR) contract with the US Government to develop intrusion detection system (IDS) signatures for ICS protocols and applications. Nothing existed so it was easy to identify and create some Modbus TCP and DNP3 signatures. In an effort to get the community to try these open source Snort signatures, I hit the ICS conference circuit to introduce and promote the idea of adding detection to ICS.
At a Telvent User Conference (at the time Telvent had about 80% market share of pipeline SCADA and is now part of Schneider Electric) I went on stage to describe the concept and give examples of what it could detect. Knowing the conservative nature of the audience, and the non-small number of “added IT systems to an ICS caused outages incidents” in that decade, I stressed that IDS does not put a single packet, nothing, on the ICS network.
The audience was polite and had few questions at the end. In the evenings, when people loosened up, I had multiple asset owners come up to me and tell me no way they would ever put IDS on their network because it might affect operations despite assurances it was just listening, that it was passive. Some didn’t even dispute the passive nature, it was simply they viewed altering a working system as a risk.
The situation has improved since 2006 in the sense that the time gap between IT and OT adoption is getting smaller. And the install and never touch approach is no longer present, at least in the early adopters. There still is a risk to a vendor selling a new OT product or service that they could be directionally correct, but too early.
If you are involved in creating your organization’s OT strategy you need to decide if you want to fight the future or create the future. Even if you don’t want to be bleeding edge, the clearly laid out path for future OT technologies should help with your planning and let you be a visionary, if you want to be.