Mark Carrigan, COO of PAS Global, used his Eastwoodian title to sum up the mixed state of industrial control system security. He saw the good as increased signs of cooperation between OT and IT, with OT beginning to catch up to IT, particularly with respect to access management. Across the industry, he said initiatives have tended to focus on the right things: visibility, audits, and security awareness programs. And above all, companies now understand that OT security deserves investment.
The bad? Attacks on OT are no longer simply collateral damage from attacks against IT systems. The adversaries, especially nation-state threat groups, are now researching OT systems and developing attacks designed specifically for those systems. And unfortunately companies remain reluctant to share information about attacks. They fear not only loss of proprietary information, but even more the reputational and regulatory risk they might be exposed to.
And then there's the ugly, chiefly the confusing OT security market, and the tendency companies have to fixate on "shiny objects," the latest buzzwords and trends. We also find, Carrigan observed, that solution results seem to fall short of expectations, and too much information overwhelms understanding. To much focus on detection is also ugly: basic protection and recovery mechanisms "can have massive risk reduction."
He closed with four pieces of advice: "Fundamentals matter. Don't chase the shiny object. Integration is key. Industrie 4.0 is coming--get ready."