The following excerpt is reposted from my latest SecurityWeek contributed article. We would love to hear your thoughts on the thesis outlined below, so we invite you to get a taste here and read the full article at SecurityWeek.
If you thought things were bad in the world of IT network security over the past decade, boy do I have an incredibly bleak thesis to present to you.
Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations, tons of investment in terms of people and money, the birth and evolution of an industry/sub-industries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous amount of positive hidden behind the losses. That focus is why we have a market of roughly 2,000 security solutions at current (the value of which is a topic for another discussion).
In the world of Critical Infrastructure/Industrial Control Systems (ICS) security (a.ka. Operational Technology), despite nearly two decades of discussion around nightmarish cyber-attack scenarios and outcomes, the past 10 years can arguably be labeled “The Lost Decade of Information Security.”
I would argue that we are no better off today in terms of cyber readiness than we were 10 years ago. This belief keeps me up at night and wakes me before the sun many mornings as the threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.
What is encouraging is that the past two years – and notably the past few months – have seen an accelerated pace of awareness and prioritization being given to ICS security. The emergence of new startups in the sector, the newly found focus of entrenched security companies, the work by Industrial Control Systems vendors to focus on cybersecurity, the level of discussion amongst CISOs, board members, etc. show some light amongst my otherwise dark skies analysis. What’s discouraging – is that all of what I’ve just listed has come as a result of an increasing amount of targeted and spillover attacks into this domain.
Where We Went Wrong (for the full analysis/detail - see the SecurityWeek article here!)
- Failing to “bridge the gap” between IT and ICS (Engineering) staff
- Falling victim to the notion that prescriptive commands/standards could and would be implemented:
- Trying to force the “square pegs” of IT security into the “round holes” of ICS networks
- Delaying investment because “these attacks are theoretical – they aren’t happening”
- Believing that the concept of “air gapped” networks were ever a reality/would stand up against business and efficiency demands
- Difficult to implement, hard to consume, cumbersome to maintain previous generation ICS specific solutions
Read the rest of the article in SecurityWeek - click here!