We Won: An OT Security Community
There is a thriving OT security community in 2025. This is a huge win.
We started S4 in 2007 because there was no place where one of our researchers could present the first publicly disclosed OT vulnerabilities (in the two most widely used ICCP protocol stacks) to an audience that would get it. An audience that understood both cybersecurity and control systems.
Our first keynoter was Whit Diffie because he had played a large role in creating the crypto/cybersecurity community. This event drew just over 40 attendees. There were a small number of other, less technical OT security events. A few companies selling the first OT security products. Some fledgling OT security training courses. Some national lab work and funded government research.
In 2010, my Digital Bond OT security consulting practice had 12 talented consultants. We were one of the largest, perhaps the largest, practice in the world.
Now in 2025 there are tens of thousands of OT security professionals. I don’t know if the right number is 12,000 or 120,000. And it probably varies based on your criteria for this designation.
The win is more than just numbers. The spirit of the community remains welcoming and strong, especially when you meet face to face. I hear this from those new to the community at S4, and also from attendees at other events. They are pleasantly surprised at how friendly and helpful the community is to newcomers or anyone facing a tough time.
Sure there is some unnecessary drama. There always is and was, even when the community was measured in the 100’s. As a whole it is a welcoming and supportive community.
I don’t know if it’s due to the spirit of the first and second generation in this field. Or that there are so many challenges that there’s no shortage of areas to carve out your own best-in-world niche. Or the fact that with only a few blips, including now, there have more jobs than available people. Or something else.
Whatever the reason, the OT security community’s growth and spirit is a big win.
We Lost: OT Risk Management
Admittedly this is a hard problem for a new field with little hard data. Even with diminished expectations we have lost.
- The threat, as expressed in vendor reports, government pronouncements, industry studies, conference presentations, and media articles, is vastly overstated. Hyped up. A look at the expressed threat and actual consequences over any time period in the last 20 years clearly shows this. What is possible has been presented and treated as what will be.
- Many of the long and growing recommendations to “secure” OT result in minimal risk reduction. This has lead to confusion and highly inefficient risk reduction. If we had simply allocated the resources from the last 20 years based on risk reduction the typical OT security posture would have been greatly improved.
- There is a tendency to promote and focus on long and large programs. Cyber Informed Engineering (CIE) is a great example. CCE is another. Secure By Design a third. Information sharing initiatives a fourth. There are gems in these programs. Quick and inexpensive items that can lead to significant risk reduction that would take 1% of the overall programs effort. It’s a bit like the long list of security controls failure from the second bullet.
There have been some partial wins in OT risk management, most notably an increased focus on consequence.
I’m hopeful that the win in community building can help address the loss in OT risk management in the remainder of this decade. That the community can mature to the point that they can properly frame the threat and prioritize security controls and consequence reductions. Importantly this means intentionally not doing everything that is in the long and growing list of recommendations.