“Securing Operational Technology: A Deep Dive into the Water Sector”


I know some of these witnesses personally. I know the subject matter extensively.

For this post I will assume you have watched the hearing, also please see the recent post about China and U.S. Infrastructure.

Also note this is some what a stream of consciousness as I listened.

The first question sets the tone, Quantum computing and FUD! Mr. Lee is correct that 1) we are not going back to manual systems 2) the current ICS/OT systems are already vulnerable 3) defense is possible.

Safety systems and “managing for the consequence” is a key point! If you want an offline system it should be a safety system!

Government is not the F***ing answer!

It is important to note that of the 16 Critical infrastructure sectors Water is one of the least mature and funded.

Attribution is largely bunk! Attribution is very hard to do especially in light of Wikileaks vault 7.

NERC or NERC lite is not the answer, I will admit that NERC-CIP has moved the industry, but that was from zero and we are not there today.

If you accept the premise that Risk = Likelihood x Impact, and that the impact of loss of life or capacity are unacceptable then almost all OT risk trend to the extreme.

OK, so what is really needed for ICS/OT cybersecurity to solve the issue. A market and risk driven model. Legislation will not help, just enrich the companies who have the best lobbyists. The ugly truth is that most infrastructure is not secured. The basic blocking and tackling steps are not in place. Defense in depth, good architecture, and vigilance are the building blocks to solve this issue (IMO). Most CISOs I know want to spend their budget on tools, and I see this as a mistake. If you do not have the people or program in place to use them effectively tools will not protect you. There is way too much shelf-ware in the industry.