Last week, I joined over a thousand attendees at S4x25 to talk about the future of ICS security. I love any time I get to spend with like-minded people who wake up thinking about protecting critical infrastructure, and S4 is the place to be to have deep conversations with the industry (Kudos to Dale Peterson for putting together a fantastic program!). Several things resonated with me, which were reinforced by my discussions with customers, BlastWave partners, and technology partners at the event.
The biggest was the simple fact that the times are changing. It is time for ICS/OT security vendors to start delivering actionable results to customers. Cybersecurity has always been challenging in measuring ROI since the most significant indicator of your investment success or failure is actually….failure. Yep, when you get hacked, you know what you deployed didn’t work. If you aren’t hacked, you might not know if you have been hacked because the hackers are biding their time and Living Off The Land. Significant investments in monitoring and visibility haven’t necessarily made CIOs/CISOs feel like “Mission Accomplished.” This focus on ROI is a good thing; whether it eventually turns into a Return on Mitigation (ROM) or some other metric is to be seen, but there is a clear desire for vendors to engage in this dialogue with customers.
Dale’s keynote was all about the ROI of risk reduction, and he framed it through the dual lenses of frequency and consequences. Risk = frequency x consequence. ROI = risk reduction/cost. He also reinforced that the check-the-box approach ignores the effectiveness and efficiency of the security tool or mitigation action. Moving to MFA can be a powerful way to reduce risk at a low cost. Installing data diodes (that may even require 2-way diodes for remote access) is expensive and may not reduce risk that much. I will have much more to say about the ROI of risk reduction in the coming months.
Some discussions have started about using “the cloud” in OT environments. This is interesting as this approach has some advantages and disadvantages, depending on whether you are more interested in historical data for analysis or looking to have real-time interactions with your OT systems. This is one that I am watching closely because the one thing that will become critical in this environment is securing any access and data that exits the OT network to the cloud.
The last thing I will touch on is one of the hottest topics at S4: the ongoing challenge with segmentation and access control. If you follow BlastWave, you know that this is the challenge we have accepted and are delivering to our customers daily. This is closely tied to the risk management and mitigation mentioned above. Segmentation helps reduce the consequences of an attack by providing containment enclaves. It essentially stops the spread of malware or the ability of an adversary to perform internal recon. Segmentation mitigates significant risk to your network but is usually expensive and requires a long time to implement. If you are still trying to do this with an inflexible hardware solution, the time it takes to implement may be longer than the average tenure of a CIO! This is where Identify Meets Protect in the NIST Cybersecurity Framework and where BlastWave believes the rubber meets the road.
We will be talking a lot more about all of these topics with a focus on Oil and Gas in an upcoming webinar, "The Connected Oilfield: Mastering Remote Site Connectivity and Security."
Tom Sego, CEO & Co-Founder, BlastWave
Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.