Find your Why: Desired Outcomes for OT Cybersecurity Investments

Risk.

Reward.

Most investment decisions involve weighing the difference between the two factors. Is it worth buying this because the reward will be great enough to be worth the risk? Not enough people add a third factor to this decision process: the Desired Outcome.

I have discussed “Find Your Why” in past blogs (I referenced it in this blog about cybersecurity stats). In this blog (and an upcoming whitepaper from BlastWave), we will start the conversation about “Why” you invest in cybersecurity.

Every investment must also have a desired outcome. In some cases, the reward might align with that desired outcome. However, the desired outcome must be understood and known in cybersecurity to determine if the risk is worth the reward. One mistake often made in cybersecurity is focusing on technology rather than outcomes. For example, mandating a firewall does not protect a network; it dictates the solution rather than the desired outcome. Indeed, firewalls protect a network, but what does the firewall need to do to minimize your risk? Some firewalls have targeted capabilities, and some have a wide range of technical abilities (often too much capability, if we are honest). Just because an IT manager deploys a firewall does not mean that their network is now fully protected. 

WHY? The MITRE ATT&CK ICS Framework

So why do you invest in OT/ICS cybersecurity? To remove risk.

What do you invest in? The solutions that remove the most risk.

The MITRE ATT&CK ICS framework establishes the risks and the specific tactics and techniques bad actors use to penetrate ICS networks. We won’t go into a detailed analysis of the tactics (The MITRE site does that exceedingly well). 

Here is the ICS Framework:

The desired outcome of any OT cybersecurity deployment should be to block all of the tactics that may affect your network and monitor the rest. The more you can block, the less risk you are taking by operating your network.

BlatWave will soon release a whitepaper focused on mitigating risk associated with tactics with a remote networking component. Implementing a network protection framework prevents many of these tactics from succeeding, blocking off other tactics that depend on the success of another, earlier-stage tactic. Categories like Initial Access, Lateral Movement, and Discovery are all key tactics that any Protection solution should largely mitigate for a network administrator. Instead of a flat list, a flowchart with predecessors might be a better framework.

Our whitepaper will be released this month and will explore the risks, rewards, and, most importantly, the desired outcomes for OT Cybersecurity protection. We will also start exploring the solutions that are available to OT cybersecurity administrators. Over the next few weeks we will introduce some of the key topics discussed in the whitepaper in the blog to give you a taste of what is coming.

If you want to sign up to receive the whitepaper the moment it is published, sign up here, and we will send it to you immediately upon its release.