What Will Fall Next?
A common refrain for any new proposed technology: It Won’t Work In OT.
A short and incomplete list or examples:
- 90’s: Windows and Ethernet (yes, there was a battle with many experts insisting Windows workstations and servers connected by Ethernet was heresy)
- 00’s: Anti-virus and IDS and cellular networks for SCADA
- 10’s: Virtualization
- 20’s: Active scanning
My most personal experience is with IDS. We developed and introduced the first IDS signatures for OT, funded by DHS and Dept of Energy. I remember presenting this technology at the 2003 annual Telvent User Group in Banff. At the time Telvent had an ~80% market share of pipeline SCADA systems. All the big players were there.
I gave my presentation on the very basic, but powerful Gen 1 IDS signatures for Modbus TCP and DNP3. Polite applause. No questions. In the remaining two days I had many asset owners walk up to me and say, It Won’t Work In OT. Why not?
Asset Owner: We can’t risk putting anything on the network that could take the system down.
Me: IDS is passive. It doesn’t put a single packet on the network.
Asset Owner: But what if your IDS doesn’t operate as designed. Has a bug. Misbehaves and puts traffic on our network?
Me: The span port it is connected to does not allow this.
Asset Owner: What if someone plugs it into the wrong switch port or misconfigures the switch?
Even those that were eventually convinced that it was not going to take down their system said it still wouldn’t be allowed.
[Side note: this is another example of the longstanding dichotomy of the asset owners saying the systems must be robust, resilient, run 24×7 … and accepting and living with systems that are fragile. Look at them wrong, send the wrong packet and the system may come down wiith concern about recovery.]
As most know, IDS passive detection (now in Gen 4 or 5) is a key component in the solutions from Armis, Claroty, Dragos, Nozomi … It’s gone from impossible and never to the point where an OT leader better have an answer to “what are we doing to detect cyber attacks” when the C-levels or Board asks. And IDS is almost always a component of this.
And we see Microsoft as the dominant workstation and server operating system in OT, Ethernet dominating Level 2 and getting more presence on Level 1 and even Level 0, ICS vendors now promoting virtualization (although still slow rolling containers), and so on.
If a technology is dominating the enterprise due to clear and significant benefits, it will make it to OT. If you hear It Won’t Work In OT, change it in your mind to When Will It Be Accepted In OT. And maybe more importantly can we benefit by being an early adopter? The answer to this last question is often, but not always, yes.
I’m curious what you believe are the technologies you see as getting the “It Won’t Work In OT” treatment now that will be norms by 2030. Put them in the comments.