OT cybersecurity insights center – Waterfall Security Solutions

Data Diode vs Firewall: Understanding the Key Differences in OT Security

Waterfall team — Tue, 04 Nov 2025 09:20:06 +0000

When you’re protecting operational technology infrastructure, the security solution you pick could mean the difference between weathering a cyberattack and making headlines for all the wrong reasons. It’s not really about whether you need protection anymore; that ship sailed when hackers started going after power grids and water systems. What matters now is figuring out which technology will actually work when attackers come knocking.

OT security isn’t your typical IT problem. We’re talking about systems that run power plants, manage water treatment facilities, control manufacturing lines, and keep transportation networks moving. When these systems fail, you’re not dealing with stolen passwords or leaked documents. You’re looking at potential physical damage, environmental disasters, or genuine public safety threats. Understanding your security options has never been more critical.

Two technologies dominate the conversation when it comes to creating secure boundaries between OT networks and external threats: data diodes and firewalls. Both handle security, but their approaches are worlds apart. This choice shapes everything: immediate protection, operational flexibility, compliance posture, and how well you’ll handle whatever new threats emerge.

TLDR: Data Diode vs Firewall key differences:

Aspect	Data Diode	Firewall
Security Model	Hardware, one-way	Software, two-way
Attack Surface	Minimal, immune to 0-day	Larger, exploitable
Maintenance	Low, set-and-forget	High, ongoing updates
Flexibility	Limited, no remote	High, supports remote
Performance	Low latency, scalable	Higher latency may slow
Compliance	Simple, physical proof	Complex, ongoing checks
Use Cases	Critical infrastructure	General OT with access

What is a Data Diode? Core Technology and Functionality Explained

A data diode is a cybersecurity device that enforces one-way data transfer between two networks. It allows information to flow out of a secure system without allowing external data to flow back in. Organizations use data diodes to protect critical infrastructure, defense systems, and industrial control networks from cyberattacks.

The technology works by physically severing the return path that network communications typically need. Regular network connections require two-way communication for protocols like TCP/IP to work properly. Data diodes break this requirement at the hardware level, making it physically impossible for external systems to establish connections or push data back into protected networks.

What is The Technical Architecture of Data Diodes?

The hardware creates what’s essentially an air gap with controlled, one-way data transmission. Inside these devices, fiber optic connections carry data from OT networks to external monitoring systems, but the physical design prevents signals from traveling backward. The transmit fiber literally can’t receive signals, and the receive side can’t transmit anything. This isn’t a software setting that could accidentally get changed; it’s baked into the hardware design.

Your OT systems still provide all the data needed for monitoring, reporting, and analytics. Historians keep collecting process data, SCADA systems continue displaying real-time information, and operators maintain full operational visibility. The key difference? This visibility never creates a pathway for attackers to reach critical systems.

Data diodes also eliminate concerns about network protocols being exploited. Since there’s no return communication path, traditional network-based attacks simply can’t function. Malware that depends on command and control communications finds itself cut off from its handlers. Remote access trojans lose their ability to communicate back to attackers.

Security Guarantees Provided by Hardware Enforcement

Hardware enforcement gives you security guarantees that software simply can’t match. With a data diode, protection doesn’t depend on perfect configuration, timely updates, or hoping that nobody’s found an undiscovered vulnerability. The security model is binary: data goes out, nothing comes back.

This approach eliminates entire categories of cyberattacks that need two-way communication to succeed. Advanced persistent threats, remote access trojans, and command-and-control communications all need bidirectional connectivity. By physically preventing this connectivity, data diodes create an impenetrable barrier.

The reliability extends beyond just cybersecurity threats. Data diodes also protect against insider threats who might attempt to establish unauthorized network connections. Even with administrative access to systems, an insider can’t override the physical limitations of the hardware.

Firewall Technology in OT Security Contexts

Firewalls have evolved considerably since their early days, particularly for operational technology environments. Modern OT firewalls include deep packet inspection, protocol-aware filtering, and specialized capabilities for industrial communication protocols. They act as intelligent gatekeepers, examining traffic and deciding what gets through based on predefined rules and policies.

Unlike data diodes, firewalls keep bidirectional connectivity alive while trying to filter out malicious traffic. They analyze packet contents, addresses, protocol types, and application behaviors to determine whether communications should pass or get blocked.

Evolution of Firewall Technology for Industrial Networks

Firewalls were originally built for IT networks, where the main job was to keep malicious traffic out of corporate systems while still allowing employees, servers, and applications to connect to the internet. These early firewalls were not designed with operational technology (OT) in mind. Industrial networks have very different requirements-24/7 uptime, specialized communication protocols, and devices that often remain in service for decades. Applying traditional IT firewalls directly to OT environments often caused disruptions, latency, or outright failures because the firewalls simply didn’t “understand” how industrial equipment communicated.

To meet these unique demands, firewalls for industrial use evolved in several key ways.

First, they became protocol-aware. Industrial control systems rely on communication protocols such as Modbus, DNP3, IEC 61850, OPC, and PROFINET. Unlike typical IT protocols, these are highly specialized and often lack built-in security features. Modern OT firewalls now include deep packet inspection (DPI) for these protocols, meaning they can read and interpret the actual commands and values being exchanged between devices. This allows the firewall not only to block generic suspicious traffic, but also to detect anomalies such as unauthorized control commands or malformed data packets that could indicate tampering.

Second, OT firewalls added segmentation capabilities tailored to industrial environments. In IT, segmentation often means dividing a corporate network into different security zones. In OT, segmentation is even more critical because it can stop a compromise in one part of a plant or facility from spreading to safety-critical or production-critical systems. Modern industrial firewalls enable very granular control, ensuring that only specific devices or applications can talk to each other, and only in very specific ways.

Third, these firewalls evolved to perform application-layer filtering. Instead of just looking at IP addresses and ports, they can analyze the actual applications running on top of communication protocols. This provides deeper security by distinguishing between normal operational commands and malicious activity that might be hidden inside legitimate-looking traffic. For example, a command to “read data” might be allowed, while a command to “change setpoint” from an unauthorized source would be blocked immediately.

Finally, OT firewalls now support high availability and redundancy features designed for industrial use. In environments like power grids, oil refineries, or manufacturing lines, even a momentary network disruption can have costly or dangerous consequences. Industrial firewalls are engineered to handle continuous uptime, support redundant hardware configurations, and tolerate the challenging physical conditions of plant environments, such as electrical noise, temperature extremes, or vibration.

In short, firewalls for industrial networks have matured far beyond their IT ancestors. They are now specialized security devices that combine traditional packet filtering with deep industrial protocol awareness, network segmentation, and resilience features. This evolution reflects the growing recognition that OT environments face distinct threats, and that protecting them requires tools specifically designed for the realities of industrial operations.

Configuration and Management Challenges in OT Environments

Managing firewalls in OT environments creates challenges. Industrial systems often need 24/7 availability, which means maintenance windows are scarce. Configuration changes require careful planning and testing. Firewall rule sets can become incredibly complex, and mistakes can block legitimate traffic or allow malicious activity through.

Another challenge involves keeping up with security updates and threat intelligence. Firewall effectiveness depends heavily on current threat signatures and properly configured rules. This ongoing maintenance requirement can strain resources.

Key Differences: Data Diode vs Firewall Security Capabilities

Data diodes operate on a deterministic security model where the hardware design makes certain attacks physically impossible. Firewalls implement rule-based protection requiring constant management.

The deterministic nature of data diodes means your security posture doesn’t deteriorate over time. Firewalls, on the other hand, rely on constant vigilance, updates, and adjustments.

Maintenance and Operational Requirements

Firewalls need regular updates, rule changes, and monitoring. Data diodes need minimal maintenance once deployed. Firewall management requires cybersecurity expertise; data diodes require more upfront network design work.

Performance and Operational Considerations

Data diodes excel in high-throughput scenarios and handle any IP-based protocol without modification. Firewalls introduce latency due to inspection and require protocol-specific support.

Operationally, firewalls enable remote access while data diodes eliminate it. Organizations must balance between absolute security and operational flexibility.

Data Diodes Regulatory Compliance

Data diodes align closely with critical infrastructure protection standards, offering simple, verifiable compliance. Firewalls can support compliance, too, but require continuous updates and detailed documentation.

Implementation Scenarios

Use data diodes for critical systems that can’t tolerate compromise, such as power generation or chemical processing. Use firewalls when bidirectional communication and remote access are essential, such as in manufacturing. A layered approach using both often makes the most sense.

Waterfall Security’s Unidirectional Security Gateway

Waterfall Security Solutions pioneered hardware-enforced unidirectional protection. Their Unidirectional Security Gateway advances data diode concepts with support for industrial protocols, secure file transfers, and solutions like HERA (Hardware-Enforced Remote Access).

Waterfall Security’s technology provides deterministic security guarantees while addressing practical deployment challenges in industrial networks. With proven deployments in power, oil and gas, water treatment, transportation, and more, Waterfall offers a reliable approach to OT cybersecurity.

Conclusion

When it comes to protecting Critical infrastructure, your choice between data diodes and firewalls does not have to be an either/or decision. While data diodes provide absolute protection through unidirectional communication and firewalls offer flexible, bidirectional connectivity with rule-based security, the most robust OT security strategies often combine both.

By adding hardware-enforced protection to segment critical networks, organizations can dramatically strengthen their security posture. This layered approach ensures that even if a firewall is compromised, the physical barrier provided by a data diode prevents threats from reaching your most sensitive systems. As cyber threats against OT continue to evolve, combining these technologies delivers resilience and safety for the future.

As cyber threats against OT continue to evolve, understanding these differences ensures resilience and safety for the future.

The post Data Diode vs Firewall: Understanding the Key Differences in OT Security appeared first on Waterfall Security Solutions.

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

Waterfall team — Mon, 20 Oct 2025 15:17:50 +0000

OT Insights CenterManaging Risk with Digital Twins – What Do We Do Next? – Episode 144

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

Asset inventory, networks and router / firewall configurations, device criticality - a lot of information. How can we USE this information to make useful decisions about next steps to address cyber risk? Vivek Ponnada of Frenos joins us to explore a new kind of OT / industrial digital twin - grab all that data and work it to draw useful conclusions.

https://waterfall-security.com/wp-content/uploads/2025/10/Vivek-full-episode.mp3

For more episodes, follow us on:

Share this podcast:

“Lots of people have different data sets. They have done some investment in OT security, but they’re all struggling to identify what’s the logical next step in their journey.” – Vivek Ponnada

Managing Risk with Digital Twins – What Do We Do Next? | Episode 144

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the vice president of industrial security at waterfall security solutions, who’s going to introduce the subject and guest of our show today.

Andrew, how’s it going?

Andrew Ginter
I’m very well, thank you, nate. Our guest today is Vivek Ponnada. You might remember him from an episode a little while ago. He was the co-lead on the top 20 secure PLC coding practices document that came out a year ago, two years ago.

Today, he’s the Senior Vice President growth and strategy at Frenos. And our topic is digital twins for managing risk. And it sounds like a bunch of marketing buzzwords, you know, digital twins, managing risk, but they’ve got some real technology behind this. So I’m looking forward to this.

Nathaniel Nelson
Then without further ado, here’s you with Vivek.

Andrew Ginter
Hello, Vivek, and welcome to the show. Before we get started, can I ask you to say a few words about yourself for our listeners and about the good work that you’re doing at Frenos?

Vivek Ponnada
Sure, thanks Andrew. Hey everyone, my name is Vivek Ponnada. I am the SVP of Growth and Strategy at Frenos. I’ve been in the OT security space for quite some time. Back in the day, I was a gas turbine controls engineer for GE, then I became a controls and cybersecurity solutions upgrade sales manager for them.

I initially covered power and utilities and then of course added oil and gas. I’m based in houston so that was a natural thing. Before joining Frenos worked at nozomi networks as the regional sales director for three years so I’ve been in the OT security space for quite some time and I am happy to be on this podcast.

And at Frenos, we’re doing something cool. We’re doing an attack path analysis and risk assessment at scale, bringing autonomous risk assessments to a space that’s been lacking this kind of approach. So we’re looking forward to our conversation discussing more about that.

Andrew Ginter
Thanks for that. And our topic today is risk, which a lot of people find boring. I mean, people new to the field tend to want to focus on attacks. Attacks are interesting. Attacks are technical. It’s not until they have failed to secure funding as a manager of, you know, their security team for the last 10 years that they start being interested in risk, which is the language and the decision-making of business.

We’re going to talk about risk. You’re talking about, you know, we’re going to talk about digital twins, which is a real buzzword nowadays, but, you know, this is our topic.

And you’ve mentioned, you know, risk assessments, you’ve mentioned attack path analysis. You know I look forward to looking looking into all of this. You know to me, risk is is fascinating. It’s how we make progress. It’s how we shake the money loose.

But you know before we start, can we can we can you before we dig into it, can we start at the beginning? What is the problem, the risk problem that that you know we’re trying to address here?

Vivek Ponnada
Yeah, great question, Andrew. The past 10 plus years in OT security has been, let’s find out what we have, right? So lots of people start figuring out that they need asset inventory solutions. So the likes of Dragos, Nozomi, Claroty have been the forefront of that kind of an approach. So network security monitoring leading to passive asset discovery and vulnerability identification.

So now 10 plus years into this people have a lot of datasets. They have several sites, especially the ones that they would consider important to their production. They’ve installed sensors. They have lots of information.

Now they’re asking what next, right? The real use case is risk identification and risk mitigation as you mentioned, but there’s a struggle. We’ll struggle out there with different data sets not able to figure out what the actual risk is for them to address next. So that’s the problem we’re trying to solve.

We are trying to aggregate information, provide contextual analysis of what’s the riskiest path to a crown jewel or what might be the logical way to isolate and segment because not every risk can be mitigated by just patching your vulnerability for whatever reason that that’s the the main problem.

The conclusion is that lots of people have different data sets. They have done some investment in OT security, but they’re all struggling to identify what you do with that information what’s the logical next step in their journey.

Andrew Ginter
So that makes sense. I mean, it’s one thing to sketch, this is what, the nist cybersecurity framework says a complete security program should look like.

It’s another thing to say, I’ve only got so much budget this year and a comparable amount, hopefully next year. What do I do this year? What do I do next year? What’s sort of most important to do first? That’s that’s a really important question.

How does a person figure that out? What what’s the decision path there?

Vivek Ponnada
Yeah, that’s the real question. Lots of people in the past used to say over isolated or we are segmented. Where we have a DMZ between it and ot. A lot of these assumptions have not been validated.

In other cases where they have different data sets, it’s not very clear what the what the next problem that they could solve is, right? So everybody like you said has limited budget or resources.

So the honest question is, hey, where we should focus next? It’s not very clear. People have done linear projects, right? They’ll pick a firewall project or a segmentation project or a vulnerability management program.

And all these are are good, but overall not fixing the immediate problem or not solving the immediate problem first, right? So the commonly requested feature of many of these tools like dragos, nozomi or other vendors has been, hey, can you please tell me what my riskiest asset is or what my riskiest path is?

And they have not been able to do it because that’s not in in their and their current portfolio, is that contextual summarization, right? So let’s say you have an asset at the purdue model level two, for example, that is talking to another asset at level three, and then there’s a DMZ about that with some kind of firewall rules, isolating it, and if someone has a real world knowledge of this network and and that’s what we are talking about right a digital twin that’s kind of replicating the network and you analyze if that firewall rule and if that path is possible to get to level two or maybe they have other compensated controls in the path allowing them to say yep my level two is secure this network this location is not reachable easily or it takes a lot of complicated daisy-chaining of attacks to get to then that would be a an identification of what the what the risk is and if you need to address something.

The common consensus has been one, of course, you can really assess these in real time in the production environment, right? So you need to build something that’s a replica of that network.

And then you analyze all these scenarios to see if that asset that you deem important or that network that you deem is a is it critical for your environment.

Is reachable or not reachable from the outside or from any other attack vector that you choose, right? They assume breach could be your corporate enterprise network it could be a wireless network or it could be anything else that you deem as a as an attack vector and to assess in this digital replica or digital twin if that asset can be reached.

So that’s what in general most people have been asking for that’s been missing in the currently available set of tools.

Andrew Ginter
So Nate, Vivek’s answer there was a little abstract. Let me let me be a little more concrete. He’s saying, look, a lot of people in the last 10 years have deployed Dragos and Nozomi and Industrial Defender and you name it, asset inventory tools.

And in a large organization, these tools come back and say, you have 10,000, you might have 50,000 industrial control system assets. Okay.

And many of them are poorly patched because they’re deep down in areas where you can’t, it’s really hard to patch them. Patching them is dangerous. You have to test these patches, blahh blah, blah, blah.

So you’ve got 107,000 vulnerabilities in these 50 odd thousand assets. Okay. And they’re arranged into 800, 2000, whatever subnetworks.

And the networks are all interconnected. Right. So now you’re you’re you’re you’re scratching your head going, and the question is, what do I do next with my security?

And one of the things the asset inventory folks have done is they’ve allowed you to go through these assets, understand what they are, and assign a criticality to them. These are the safety instrumented systems. They’re really important.

Nothing touches them. These are the protective relays. They prevent damage to equipment and so on. And so what he’s saying is you can’t just look at the list of assets and vulnerabilities and figure out what to do next.

You need a model. And so this is what he’s talking about, a digital twin that is looking at attack paths and looking at which assets are really important and telling you which really important have assets have really short and easy attack paths.

That’s probably what you need to focus on next.

Nathaniel Nelson
Yeah, and I fear this is one of those things where everybody else in the world knows something that I don’t, but like, what is a digital twin?

Andrew Ginter
You know… That word is a marketing buzzword and it means whatever the marketing team wants it to mean. The first time I heard the word was in a presentation a few years ago at s4.

The sales guy from ge got up and did a sales pitch, in my opinion, a very smooth, a very, what’s the right word, cleverly scripted sales pitch. But he basically said a digital twin is a computer model of a physical system.

And you the ge at the time had technology, they probably still have it, that will, let’s say you’ve got a chemical process. It’s going to it’s got a physical emulator built in. It can simulate the chemistry.

It’s got emulators built in for all of the ge PLCs in the solution, for all of the ge ihistorian and other components. It’s got a complete simulation. And whenever the physical the measurements coming out of the physical world, they correlate against the measurements that should be coming out based on the simulation.

Whenever there’s a material discrepancy, they would say, oh, that’s potentially a cyber attack. Investigate this. Something has gone really weird here and would take all sorts of automatic action to correct it.

It was amazing in principle, yet I’ve heard dozens of other vendors use the term digital twin to mean other things. The best definition that I’ve heard is, look, your cell phone, Nate, your cell phone is a digital twin of you.

What does that mean?

It’s not, probably not, a biological simulation of your body, though some apps kind of do that. They’re measuring heartbeat and whatnot.

It is an enormous amount of different kinds of information about you. Somebody who steals this your cell phone, steals all that information, knows an enormous amount about you.

And so, I like that definition because it’s much broader than the very specific original definition that I heard at s4 from ge. A digital twin can be anything that is a lot of detailed information.

And so, I can’t remember if it’s on the recording or not, but I remember asking Vivek, is your digital twin that kind of physical simulation? And he’s going, no, no, no. It’s a network simulation. It’s a different kind of digital twin than the physical simulation that some people talk about. And they use it for different purposes. So, again, it’s a marketing buzzword, but it means, generally speaking, a system that has a lot of information that uses and analyzes and, does good things with a lot of information about another thing, like my cell phone does for me.

Andrew Ginter
So that makes sense in the abstract. I mean, you folks do this. You’re building this technology. You’ve got this this digital twin concept. Can you talk about what you folks have? I mean, maybe give us an example of deciding what to patch next and using this this digital twin and sort of give us some insight into into what data you have, what data you need, and and how you use that to make these decisions.

Vivek Ponnada
Yeah, great question, Andrew. Patching has been a significantly challenging problem to solve in ot, as you’re well aware, right? In it, if it’s vulnerable, you apply a patch and there’s a limit of downtime impact, but you run with it.

In ot, of course, it’s not practical because a patch might not be available, an outage window might not be available, and of course, there’s production, downtime issues to deal with, so patching has been really hard.

With what we’re doing though, it’s actually highlighting what to patch and what might be skipped for the moment. Right so when we’re doing this attack path analysis and we come up with a mitigation prioritization score and we say that, hey, this particular network is easy to get to, the complexity of the attack is pretty pretty low.

In just one or two hops from the enterprise network, I’m able to get to this asset and this is vulnerable. And we do provide other options besides patching right we’ll say maybe segmentation or adjusting the firewall role might be a way to go in some cases but if you do decide that patching is relevant and and our recommendation provides that you’ll see that if something is not on that attack path, right? So it might be another asset in the vicinity, but the complexity the attack of that to that asset is much, much higher, then you could deprioritize patching that asset, even if those two assets we’re talking about have the exact same vulnerability, right?

So if something is on the attack path and it’s easier to execute an attack to that asset, maybe you want to prioritize that more than another asset that’s exactly the same vulnerability, but it’s not on a critical attack path, if you will.

And so getting to it is harder. So you would want to deprioritize that compared to the other ones.

Andrew Ginter
All right, so so you used the word reachable. Is that loosely the same as or connected to the concept of pivoting, where an adversary takes over a an asset and a computer, a PLC, something, and uses the compromised cpu, basically, to attack other things, pivot through a compromised device to attack other things, and then repeat, use the newly compromised things to attack other things?

Eventually, you find, let’s say, computers that have permission to go through a firewall into a deeper network, and now you can use that compromised computer to reach through the firewall. Is this what reachable means? Reachable by a pivoting path?

Vivek Ponnada
It certainly could be right so pivoting would be jumping from one host or one asset to another right or from one network to another.

The concept of living of the land means that you have ownership of an asset and you’re using native functionality and eventually get to another asset from there because you have a direct connection or to a firewall for example. And so reachable essentially means that you’re able to get to that asset.

Now how you get to that asset or network is it because know firewall rule has any any for example that allowed you to just get there or in another case you were able to use rdp or some kind of insecure remote access to get there or in other cases maybe a usb right somebody plugged in the usb and now you have access to that asset. So lot of these scenarios are very much dependent on what the end user is trying to evaluate the risk for.

So if they are for example heavily segmented and their primary mediations are all segmentation and firewall based then they would want to know if those firewall rules are working according to plan or if the last time there was an exception that that poked a hole in their firewall now they are allowing access from level 4 to their critical networks, not realizing that their firewall has as a hole.

In other cases, they might have assumed that rdp was disabled in this level 3 device in this workstation, but it is actually enabled. And so now suddenly someone from outside of their enterprise network is able to get to that level 3 and now once you’re there, they could do a lot more, right, further exploration. So reachable essentially means that you’re able to get to a network that’s of interest from another area that’s your starting point.

Andrew Ginter
So, Nate, I remember a couple of episodes, a year and a half, two years ago, robin berthier was on from network perception. He was doing, it sounded like a bunch of similar stuff.

He wasn’t, I don’t think they were taking the output of, drago’s tools, but I could be wrong. What I remember was that he was taking firewall configurations and putting sort of a reachability, what’s reachable from where, map together for large complex OT networks, and would issue alarms, would issue alerts when sort of reality deviated from policy. You could say policy is this, safety instrumented systems never talk to the internet.

That’s a reasonable policy. And he would ingest hundreds, sometimes thousands of firewall configurations and say and router configurations and come back with an alert saying, these three devices over here are safety systems and they can reach the internet. So that what he was doing. What we’re talking here, what seems to me to be different here, but I could be wrong, is we’re talking here about pivoting paths, not only paths.

Sort of network configuration, not not just reachable not not just reachability, but the difficulty of pivoting as well.

Nathaniel Nelson
Yeah, and and is the reason why pivoting becomes relevant in a discussion about PLC security because these devices make for such efficient means of, that they connect your maybe, let’s say, lesser it t assets to more important safety critical systems. So PLCs sort of seem like a natural point at which an attacker would move through.

Andrew Ginter
Sort of. PLCs tend to be the targets of pivoting attacks in ot, sophisticated attacks, because they’re the ones that control the physical world. You want to reach the PLC to cause it to misoperate the physical process.

Pivoting through PLCs is possible in theory, and it’s a little bit more possible in practice when the PLC is based on a popular operating system like a stripped-down windows or a stripped-down linux.

But a lot of PLCs are just weird. They just their operating system, their code does one thing. It does the PLC thing. In theory, you could break into the PLC and give it new code.

But if I want to if I want to pivot through a PLC to a windows device, what am I going to how am I going to get into the windows device? I might want to get into it with a remote desktop. There is no remote desktop client on a PLC. It doesn’t exist.

And so pivoting through PLCs, you the attacker might, depending on the version of the PLC, might have to do an enormous amount more work to get pivoted through a PLC.

And so if the only way into, a let’s say, a safety system target is a really critical system, is to pivot through three different PLCs, pivoting through firewalls each time, that’s going to be really hard to do.

Whereas if, I remember a presentation from from dale peterson at s4 last year, year before, where he he was talking about network segmentation. He says, network segmentation, firewalls are almost always the second thing that industrial sites do to to launch their security program.

And I’m going, excuse me, excuse me, what’s but second thing? What’s the first thing? I thought firewalls were the first thing everybody does. “Andrew,” he says, “the first thing is to take the passwordless hmi off of the internet. That’s the first thing you have to do.” and I’m going, yep, you’re you’re right.

And a tool like this will be able to look at you and say, here’s my network. If I want to go from the bad guys into this hmi, it’s on the internet. It has no password.

That’s your number one. It’s it can tell you that. Not just policy, but it it it says, and the safety systems back there, you’ve got to pivot through three PLCs.

That’s going to be really hard to do. You might have some other security you might want to deploy in between. So this is the the concept of of pivoting that, I found very attractive in this this tool, measuring the difficulty of an attacker from the internet reaching a a target inside of a a defensive posture.

Andrew Ginter
That’s interesting. We’ve had guests on the show talking about attack paths. These, these are tools that, build a model of the system and, count all of the ways that an attacker can get from where they are into a consequence that we want to avoid. Um,

And it’s not just count them, but evaluate, let’s call it the difficulty. Mean, risk talks about the classic approximation for risk is likelihood times frequency.

Sorry, likelihood times consequence or impact, if you wish. And, likelihood is a really murky, difficult concept for high consequence attacks. And so what a lot of people do is they substitute likelihood with difficulty. And they They try to evaluate how difficult are really nasty, attacks with really nasty consequences.

It sounds vaguely like you’re doing this. You’re you’re You’re talking about attack paths. You’re talking about difficulty. Is this Is this where you’re going? The one thing you haven’t mentioned is consequence.

Vivek Ponnada
Yeah, that’s a good point because we are doing something unique in that we are allowing user to evaluate in this digital to in this digital replica how an adversary might be not only pivoting but exploiting different components to get to their crown jewels right the way we’re doing that is showcasing different views of TTPs that are well documented with all the IOCs and the threat intel that we aggregated so if it’s a power customer for example they could use a volt typhoon view to see how a volt typhoon actor might be able to leverage initial access to credential exploitation to other kind of exploits within within the environment and there might be a manufacturing customer with a whole different set of interesting TTPs that they want to evaluate But the idea behind this is you figure out what the generally documented TTPs are for a certain type of adversary and how they might you go about from your your starting point, which is initial access or the starting point of your threat analysis to all the way to the crown jewels. And in doing so, you’re making assumptions, right? Because, we’re not in this production environment. We’re not actually exploding something, but you’re evaluating the different scenarios where you say, OK, I have this Windows workstation and I’m going to use RDP, right? I’m going to exploit something there.

What if RDP was disabled? So these days people have some datasets where they can export from an EDR tool and provide open ports and services, right? Then we know, for example, upfront that and some of these services like SMB or whatever that you think is typically exploited by the TTP or the threat actor of choice or or interest is exploding and you disable that, you now know that at least that path is closed, right?

In other cases, The attack path might show three or four different types of exploits to be able to get to that ground jewel or the ground jewel network.

Then that that layer of difficulty or the complexity of the daisy chaining is much higher compared to another network or another attack path. That is trivial, right? So it uses native credentials and it only takes one hop in the attack path to get to that asset or network, then for example, that the previous one was more complex to even get to, right?

But the end of the day, all this conversation so far is about, how difficult it is to get to that ground jewel network or the ground jewel asset right not talking about what the attacker might do once they get there because that part is the impact or the consequence here we actually have a an automatic assessment based on the types of PLCs or types of controllers or the types of assets we see in general based on our threat intel and our initial assessment.

But an end user that’s running this tool or a consultant that’s running this tool can adjust that. Right So there’s a manual way for them to say, hey this network is of a higher priority for me compared to this other network.

Show me what the impact of getting to this network is for me because this is higher for me. So to to be fair, we’re not doing quantification yet in this In this tool we’re limiting ourselves at the moment to how easy or difficult it is to get to a particular crown jewel network and what the adversary might be able to do in that kind of a network. Right So it’s it’s one of those interesting aspects of that analysis where you’re not doing the analysis of what an attacker would do once they get to a crown jewel because that’s a whole different ballgame compared to you’re trying to break the kill chain break the path way before that so you’re you’re assessing or analyzing what are all the attack paths and how easy or difficult it is to get to the crown jewels that you’re trying to protect.

Andrew Ginter
Good going. I mean, I have maintained for some time, and and it’s easy for me to do because I’m on the outside. I don’t have to do the work. But I’ve maintained for some time that risk assessments, part of a risk assessment should be a description of the simplest attack or three that remain credible threats in the defensive posture, threats able to bring about unacceptable consequences. There’s always a path that will let you bring about, an attacker bring about an unacceptable consequence. The question is how difficult it is.

And so to me, the risk assessment should include a description of the simplest such attack or, attacks, plural. Um,

So that’s that’s sort of one. Is this kind of what you’re doing? Can can you give me the next level of detail on on what you’re looking at and and how you’re making these decisions?

Vivek Ponnada
Yeah, definitely. So the problem like you described is that there might be some open ports or services that are vulnerable.

However, if those ports are closed or those services are disabled, then that problem is solved, at least for the moment, right? Unless there’s another vulnerability discovered on the particular asset. So what we’re doing is we’re ingesting information from the various sources that they have.

In other cases, provide options to add that in the tool so that you have the contextual information as to what attacks are possible with what’s relevant in that environment, right?

And in the past, people did this using questionnaires, asking people or evaluating and subject matter experts, using a tabletop or something like that. But the beauty of our frameworks platform is that you’re actually able to do this in an automated fashion and at scale, because if you have like a typical customer, or dozens of end-user sites and hundreds or even thousands of networks, you’re not actually able to analyze the risk of each network of each asset down to the level of what’s possible with the given ports and services or install software or not install software in that environment, right?

But if you’re able to ingest all this information right from the IP addresses and different types of assets and the vulnerabilities tied to them to the ports and services that are enabled or disabled or in other cases, making a an exception to say hey I’m disabling this using some kind of application whitelisting or some kind of segmentation.

All the information at scale can be analyzed and you can get a a view that shows a realistic and more or less validated attack path versus someone that’s just looking at a piece of paper or a complex network in a manual fashion.

So this this is where I think the big difference is in that we’re looking at the attack complexity and the attack path at scale with whether it’s tens or so of sites or thousands of networks and able to decipher what the context is for exploitation or just lateral movement or or whatever the path might be to get to your crown jewels.

Andrew Ginter
So you’ve mentioned a couple of times at scale, you’ve mentioned a couple of times the potential for ingesting information about a lot of assets and networks. The asset inventory tools out there produce that knowledge already. I’m guessing you’re interfaced with them.

Can you talk about about that? How do you get data? How do you get the data about the system that that you’re going to analyze?

Vivek Ponnada
Yeah, that’s a great question. Yeah, we definitely can ingest information from a variety of sources. So the platform can ingest information both offline. So drag and drop a CSV or an XML file or any kind of spreadsheet.

And we also have API hooks to be able to automatically ingest information from The likes of Dragos / Nozomi / Claroty, which are the OT security product vendors. We can also ingest information from CMDBs or any kind of centralized data depositories like Rapid7 or Tenable.

In other cases, the customers might have just spreadsheets from the last time they did a site walk. We can ingest that too. So we’re not restricted on ingest ingesting any specific type of format. We have a command line tool that can ingest other sources as well.

But the basis, the digital twin starts with the firewall and the config file. So we ingest information from the likes of Fortinet, Cisco, Palo Alto, you name it.

Then ingest information from these IT or OT tools. At the end of the day, the more information that’s provided, the fidelity of the data is higher. But the and beauty of the platform is that if you don’t have any kind of information,

We can not only create mitigating controls and options within the platform, but we also built an extension of the Frenos platform called Optica, where you can quickly leverage existing templates, for example, Dell servers or Cisco routers or Rockwell PLCs.

Within a few minutes, you can drag and drop and build a template, which you then import into Frenos. To replicate what might be in the system already. So long story short, any kind of asset information, vulnerability information out there, we can ingest.

And if there is none or there’s limited visibility in certain sections or location, we can build something that’s very similar so that the customers can have a view for what the risk is in a similar environment.

Andrew Ginter
And you mentioned a couple of times, I remember here, compensating controls. I mean, the compensating control everybody talks about is more firewall rules, more firewalls, more firewall rules, keep the bad guys away from the vulnerable assets that we can’t patch because, we can’t afford to shut everything down and test everything again.

Can you talk about compensating controls? What other kinds of compensating controls might your your system recommend?

Vivek Ponnada
That’s a great question because as we were discussing earlier in OT, not everything is fixable because a patch might not be available or an outage window is not available, right? So historically, most people have used a combination of allow listing or deny listing or some kind of ports and services disabled or, to your point, firewall rules and segmentation have a place in that as well.

Overall, the key is to figure out what the attack path is and in how or which fashion you can break that attack path. So if the consideration is from level 4 through a DMZ or firewall and the firewall rule was any any or something that was allowing too much, and maybe too many protocols or something that could be disabled, you can start there as a preference. Right If that’s not possible or that’s not a project you can take the next thing could be hey I’m leveraging this kind of SMB or other exploit at that level 3 device before going to level 2.

Let’s look at what this service was on that particular asset right so you can disable that so within the tool we built in almost 20 or so different options for combinations of all these compensating controls and that are historically used in OT right so it could be a combination of firewall rule or a service or port disabled or or in other cases it could be disconnecting them to put in a different segment Again, this is not new, right? This is how historically OT has been able to mitigate some of the risk.

We’re just bringing that to the forefront to see or show you what other things can be done to break the attack path versus strictly talking about vulnerability management and fixing the problem by applying a patch, which is not practical as we talked about.

Andrew Ginter
Compensating controls are are tricky Nate, making we identify a vulnerability a weakness in a defensive posture there’s a new vulnerability announced from some piece of software that we use on some PLC or safety system or who knows what deep into our architecture the what do we do about that is an open is a question everybody asks sort of the consensus that’s building up is that, if that system is exposed to attack, then we have to put compensating measures in.

If it’s not exposed or if it’s, really hard to reach, maybe we don’t need to change anything in the short term until our next opportunity to to do an upgrade or, a planned outage or something.

And a tool like this one, like the Frenos tool, is one that can tell us how reachable is it, how exposed is this, compare that to our risk tolerance. Are we running a passenger rail switching system? Are we running a small bakery?

Different levels of exposure are acceptable in different circumstances. So having the tool give us a sense of how exposed we are is useful in making that that decision, are we gonna patch or not? And if we have to do something, it’s useful to have a list of compensating controls and sort of the list that that I heard Vivek go through, but they’re probably gonna add to this if they haven’t already.

You can change permissions. If you got a file server that sharing files is the problem and the bad guys can put a nasty on the file server, change permissions so that it’s harder to do that.

Turn off services, programs that are running on, Windows ships with, I don’t know, 73 services running. Most, industrial systems don’t need all of these services. They would have been nice to turn them off ages ago if you haven’t already turned them off and there’s a vulnerability in one of these services and you’re pretty sure you’re not using it, you can turn it off.

Add firewall rules that make it harder to reach the system. Add firewall rules that say, fine, if I need to reach the system for some of the services, but I don’t think I ever need to reach this service from the outside, even if I need to use it on the inside, add a firewall rule that blocks access to that service on that host from the outside.

None of this is easy. Every change you make to an important system have the engineering team has to ask the question is this how likely is it that I’m i’m messing stuff up here how likely is it that I’m introducing a problem that’s gonna that’s gonna bite me with a really serious consequence how how likely is it that the cure is worse than the than the disease here so compensated controls aren’t easy but what I see this tool doing is giving us more information about the vulnerable system about how reachable is that vulnerable system. What are the paths that are easiest to get to that vulnerable system? If I can turn off, I don’t know, remote desktop halfway through the attack path and make the attack that much more difficult, now you have to go through, I don’t know, PLCs instead of Windows boxes.

That’s useful knowledge. This is all useful knowledge. We we need as much ammunition as as we can get when we’re making these difficult decisions about shoot, I have to change the system to make it less vulnerable. What am I going to change without breaking something?

Andrew Ginter
Well, thank you so much for joining us, Vivek. Before I let you go, can I ask, can you sum up for our listeners, what are the most important points to to take away from this new technology? And I don’t know, what can they do next?

Vivek Ponnada
Yeah, for sure. So the quick summary is we’re trying to solve a problem that’s been around for a decade plus. Lots of customers do not have a risk assessment in place. They’re not quite sure where they stand currently.

So some of them are early in their journey with this lack of information. They still need to figure out where they have to invest their next dollar or next hour of resource. And in other cases they had spent the past three or five years in developing an OT security program.

A lot of information available, lots of alerts, but again they’re not so sure how they are compared to maybe their industry peers or how they are compared to where they should be in their security posture management.

So what Frenos is able to do is to both leverage their existing data sets and missing information by providing something that’s a replica of their environment showcase where they should be focusing on in terms of breaking the attack paths highlighting not just where they currently stand but also where they were compared to yesterday so overall this is what most executives have been asking before investing in OT security where do we stand currently how good are we compared to an existing known

Attack vector or campaign if you will and then how good can we be currently as in today because the risks are not staying constant so how do we keep up with it so the outcome of the frameworks platform is both a point in time assessment if you like and also continuous posture management because you’re able to validate what compensating controls and preventive measures that you are deploying or or implementing and if they’re going well or not

So conclusion is that we are a security posture management and visibility company that’s able to bring out the best in your existing data sets and provide you gaps and the gap analysis and and help you figure out where to invest your next dollar or resource on what site or what location.

And if you’d like to know more, hit me up on LinkedIn. My email is Vivek at Frenos.io or happy to connect with you on LinkedIn to take it from there. If you’d like more information, know hit up on our website, Frenos.io as well. You’ll see all the information about our current use cases, the different products and services we have to offer. So looking forward to connecting with more of you.

Nathaniel Nelson
Andrew, that just about does it for your interview with Vive Banada. Do you have any final word to take us out with today?

Andrew Ginter
Yeah. This topic is timely. the topic of risk-based decision-making. I mean, this too is coming into effect in a lot of countries, particularly In Europe, the regulation in every country is different, but the directive says you have to be making risk-based decisions.

And I’m sorry, a risk assessment is… Should be much more than a list of unpatched vulnerabilities. A list of unpatched vulnerabilities does not tell you how vulnerable you are.

It’s just a list of vulnerabilities. To figure out how much trouble you’re in, you need a lot more information. You need information about how which assets are most critical. You need information about how reachable are those critical assets for your adversaries.

And when new vulnerabilities are announced a arise that simplify the pivoting path that simplify reachability of a critical asset for your adversaries you need advice as to that’s what you need to fix next and here are your options for fixing that so I see this kind of of tool as as uh step in the right direction. This is the kind of information that that a lot of us need in not just the world of NIST-2, in the world of managing risk, managing reachability.

You know We’ve all segmented our networks. What does that mean? You can still reach, bang, bang, bang, pivot on through. Well, then, What does that mean? This kind of tool tells us what that means. It gives us deeper visibility into reachability and and vulnerability of the critical assets, risk, opportunity to attack. You know I don’t like the word vulnerability. Too often it means software vulnerability. This talks about This kind of tool exposes attack opportunities and tells us what to do about them. So to me, that’s that’s a very useful thing to do.

Nathaniel Nelson
Well, thank you to Vivek for highlighting all that for us. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Data Diode vs Firewall: Understanding the Key Differences in OT Security

November 4, 2025

Security by Design- The New Imperative for Rail Systems

November 4, 2025

Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

October 30, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Managing Risk with Digital Twins – What Do We Do Next? – Episode 144 appeared first on Waterfall Security Solutions.

IT & OT Relationship Management

Andrew Ginter — Mon, 20 Oct 2025 13:23:37 +0000

OT Insights CenterIT & OT Relationship Management

IT & OT Relationship Management

In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. Much has been written about the problem. Most of that writing misses the point. In most cases, the relationship problem can be resolved with a little clarity, a bit more good will, and a modicum of mutual education.

The root cause of most IT/OT disputes is consequence – IT and OT networks in most organizations have dramatically different worst-case consequences of compromise. These sharply different consequences demand very different management disciplines for OT vs. IT assets and networks. Compounding the problem is each side’s limited understanding of the other’s threats, risks and constraints.

While there is no “magic bullet”, effective cooperation to define and develop a workable OT proceeds much more smoothly with mutual understanding. Providing the foundation of that understanding is the goal of this guide.

Request the guide to explore:

Addressing espionage vs. sabotage – different risk management goals

Common misunderstandings – criticality, credibility, and cost-cutting

Prioritizing prevention – why segmentation and dependency analysis is so important in OT

About the author

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

FAQs About IT & OT Relationship Management

Why is it so hard for IT and OT teams to cooperate on cybersecurity?

Doing the Math – Remote Access at Wind Farms

Andrew Ginter — Mon, 22 Sep 2025 12:07:50 +0000

By Andrew Ginter, VP Industrial Security, Waterfall Security

Stuff wears out. Friction is the enemy of moving parts and rotating equipment. Vibration is the symptom of wear – in conventional generators and wind farms both. But the math is different in wind farms.

In a conventional generator – coal, natural gas, or hydro – you have a turbine that turns steam pressure, chemical energy, or water pressure respectively into rotational energy. The rotating turbine turns a generator, which produces power. The generator rotates as well, but it is the turbine that suffers most of the friction and most of the wear.

So we monitor the turbines for vibrational anomalies, gas turbines we also monitor for heat anomalies. We send a lot of detailed information about these symptoms to the turbine manufacturer, the manufacturer diagnoses the wear and about once a quarter remotes into the turbine management system to adjust the turbine. These adjustments increase runtime between maintenance outages – one way to minimizing the cost of maintaining the turbines.

There is a similar situation for wind farms. There is enormous stress on the bearings and other elements of a wind turbine. These things wear and need adjustment from time to time. So what’s the difference?

The math differs. A large power plant has maybe half a dozen steam or gas or hydro turbines. If the manufacturer remotes in once a quarter for an hour-long adjustment each time, that’s 6 hours of remote access per quarter. Many power plants use unidirectional remote screen view for this – extremely secure attended remote access. An engineer at the plant is on the phone with the turbine support technician, the engineer takes advice, asks questions and moves the mouse on the turbine management system. This cost is acceptable – 6 hours a quarter. The site engineer has the added benefit of supervising and understanding what the vendor technician has done to the site’s 6 very large, very expensive turbines.

The difference is math – a large wind farm has 300 turbines. Each of these smaller turbines wears out roughly as fast as the conventional turbines. Each of these wind turbines needs adjustment, maybe once a quarter as well. That’s roughly 300 hours of remote access sessions per year, adjusting the turbines.

It gets worse. Wind turbine technology is not as mature as 50-year-old conventional turbine technology. In older wind farms, there may be 5-6 vendors involved in supplying different kinds of technology in each turbine, and each of them need to log into each turbine control system roughly once per quarter. That’s 1500-1800 hours of remote access sessions per quarter. Back of the envelope, there are 13 weeks in a quarter and so 13 x 5 x 8 = 520 working hours per quarter, give or take holidays. In these older, larger wind farms, therefore, we’re looking at 3-4 vendor remote access sessions going on simultaneously, to 3-4 different turbines, every working hour of the quarter.

But turbine technology is improving. In modern wind farms, there may be only a couple of vendors, each logging into each turbine roughly once per quarter, to adjust the turbines to minimize wear. That might only be 1 or 2 vendors logged in on average, every working hour of every working day. Either way, attended unidirectional remote access, no matter how amazingly secure, is impractical. The math doesn’t work.

Renewables are the future of power generation – so we must solve this problem. This math is why Waterfall invented HERA – hardware-enforced remote access – hardware-enforced unattended remote access. Vendors can be logged in constantly, across the Internet, using technology that is much more secure than “secure” software remote access (SRA).

Remote access for renewables is the topic the inventors of HERA will discuss on Waterfall’s next webinar. Join Lior Frenkel, CEO and Co-Founder of Waterfall, with me Andrew Ginter, VP Industrial Security, to look at what’s needed for strong remote access to renewables,and how Waterfall is responding to this need with something brand new – a kind of technology the world has never seen before. We look at how customers showed us what they needed, what we built (HERA), how it works, and how it is dramatically more secure than software remote access / SRA

We invite you to join us. Click here to be part of the hardware-enforced future of OT security in renewable generation.

The post Doing the Math – Remote Access at Wind Farms appeared first on Waterfall Security Solutions.

I don’t sign s**t – Episode 143

Waterfall team — Wed, 10 Sep 2025 08:31:45 +0000

OT Insights CenterI don’t sign s**t – Episode 143

I don’t sign s**t – Episode 143

We don't have budget to fix the problem, so we accept the risk? Tim McCreight of TaleCraft Security in his (coming soon) book "I Don't Sign S**t" uses story-telling to argue that front line security leaders should not be accepting multi-billion dollar risks on behalf of the business. We need to escalate those decisions - with often surprising results when we do.

https://waterfall-security.com/wp-content/uploads/2025/10/tim_with_ad-2.mp3

For more episodes, follow us on:

Share this podcast:

“It always comes down to can I have a meaningful business discussion to talk about the risk? What’s the risk that we’re facing? How can we reduce that risk and can we actually pull this off with the resources that we have?” – Tim McCreight

Transcript of I don’t sign s**t | Episode 143

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Hey everyone, and welcome to the Industrial Security Podcast. My name is Nate Nelson. I’m here as usual with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who is going to introduce the subject and guest of our show today. Andrew, how’s going?

I’m very well, thank you, Nate. Our guest today is Tim McCrate. He is the CEO and founder of TaleCraft Security, and his topic is the book that he’s working on. The working title is We Don’t Sign Shit, which is a bit of a controversial title, but he’s talking about risk. Lots of technical detail, lots of examples, talking about who should really be making high-level decisions about risk in an organization.

Nathaniel Nelson
Then without further ado, here’s your conversation with Tim.

Andrew Ginter
Hello, Tim, and welcome to the podcast. Before we get started, can I ask you to say a few words for our listeners? You know, tell us a bit about yourself and about the good work that you’re doing at TaleCraft.

Tim McCreight
Hi folks, my name is Tim McCreight. I’m the CEO and founder of TaleCraft Security. This is year 44 now in the security industry. I started my career in 1981 when I got out of the military, desperately needed a job and took a role as a security officer in a hotel in downtown Winnipeg, Manitoba.

Shortly after I was moved into the chief security officer role for that’ that hotel and others and had an opportunity to move into security as a career path. And I haven’t looked back I decided I also wanted to learn more about cybersecurity.

Holy smokes, in ’98, ’99, I took myself out of the workforce for two years, learned as much as I could about information systems, and then came back for the latter part of my career and have held roles as a chief information security officer in a number of organizations. So I’ve had the pleasure and the honor of being both in physical and cybersecurity for the past 40 some years.

Andrew Ginter
And tell me about TaleCraft

Tim McCreight
It’s a boutique firm with two of our lines. Our first line is that it’s new skills from the old guard, and we are here to help give back and grow.

And it’s our opportunity to provide services to clients focusing on a risk-based approach to developing security programs. We teach security professionals how to tell their story and how to use the concepts of storytelling to present security risks and ideas to executives.

And finally, we have a series of online courses through our TaleCraft University where a chance to learn more about the principles of ESRM and other skills that we’re going to be adding to our repertoire of classes in the near future.

Andrew Ginter
And our topic is your new book. You know, I’m eagerly awaiting a look at the book. Can I ask you, you know before we even get into the the content of the book, how’s it coming? When are we going to see this thing?

Yeah Well, thank you for asking. i had great intentions to publish the book, hopefully this year. and Unfortunately, some things changed last year. i I was laid off from a role that I had and I started TaleCraft Security.

So sadly, my days have been absorbed by the work that it takes to stand up a business get it up and running. And my hats off to all the entrepreneurs out there who do all of these things every day. I’m new to this. So understanding what you have to do to stand up a business, get it running, to market it, to run the finances, et cetera, it has been like all consuming. So The book has unfortunately taken a bit of backseat, but I’ve got some breathing room now. I’ve got into a bit of a rhythm.

Tim McCreight
It’s a chance for me to get back to the book and start working through it. And and it’s to me, it’s appropriate. It’s a really good time. If I’m following the arc of a story, this is the latter part of that story arc. So I get a chance to help fill in that last part of the story, my own personal story, and and to put that into the book.

Andrew Ginter
I’m sorry to hear that. I’m, like said, looking forward to it. We have talked about the book in in the past. Let me ask you again, sort of big picture. You know, I’m focused on industrial cybersecurity. I saw a lot of value in the the content you described us as being produced. But can you talk about, you know, how industrial is the book?

We’re talking about risk. We’re talking about about leadership, right? How industrial does it get? I know you you do ah you do a podcast. You do Caffeinated Risk with Doug Leese, who’s a big contributor at Enbridge. He’s deep industrial. How industrial are you? How industrial is this book?

Tim McCreight
It spans around 40 years of my career and starting from, you know, physical security roles that I had, but also dealing with the security requirements for telecommunications back in the eighties into the nineties, getting ready for, and and helping with the security planning for the Olympics in the early two thousands, working into the cyberspace and understanding the value of first information security, then it turned into cyber security, then focusing on the OT environment as well, when I had a chance to work in critical infrastructure and oil and gas.

And then finally, you know the consistent message throughout the book is this concept of risk and that our world, when we first, you know when we first began this idea of industrial security back in the forties, bringing it up to where we need to be now from a professional perspective and how we view risk.

I do touch and do speak a little bit about the the worlds that I had a chance to work in from an industrial perspective. The overarching theme though is really this concept of risk and how we need to continue to focus on risk regardless of the environment that we’re in.

And some of the interesting stories I had along the way, some of the, honest to God, some of the mistakes I made along the way as well. I’ve learned more from mistakes than I have from successes.

And understanding the things that I needed to get better at throughout my career. I’m hoping that folks, when they do get a chance to read the book, that they recognize they don’t need to spend 40 some years to get better at their profession. You can do it in less time and you can do it by focusing on risk, regardless of whether you’re in the IT, the OT or the physical space.

Andrew Ginter
So there’s, there is some, some industrial angle in there, but, like I said, industrial or not, I’m i’m fascinated by the topic. I think we’ve, I’ve, beaten around the bush enough. The title, the working title is, is “We Don’t Sign Shit.” What does that mean?

Tim McCreight
I came up with “We Don’t Sign Shit.” And it’s I have a t-shirt downstairs in my office so that that I got from my team with an oil and gas company I worked with. And and Doug Lease was in the team as well.

And it really came down to this, the principle that for years, security was always asked to sign off on risk or to accept it or to endorse it or my favorite, well, security signed off on it, must be good.

Wait a second. We never should have. That never should have been our role. We never should have been put in a position where we had to accept risk on behalf of an organization because that’s not the role of security. Security’s role is to identify the risk.

Identify mitigation strategies and present it back to the executives so that they can make a business decision on the risks that we face. So in my first couple of weeks, when I was at this oil and gas organization, we had a significant risk that came across my desk and it was a letter that I had to sign off on. a brand new staff member came in and said, “Hi boss, I just need to take a look at this.”

I’m like, “Hi, who are you? What team do you work on? And what’s the project you’re working on?” When I read this letter, I’m like, are you serious that we’re accepting a potential billion dollar risk on behalf of this organization? Why?

And like, “Well, we always do this.” Not anymore. And we went upstairs. We got a hold of the right vice president to take a look at this to address the risk and work through it. And as I continued to provide this type of coaching and training to the team there, I kept bringing up the same concept. Look, our job is not to sign shit.

That’s not what we’re here for. We don’t sign off on the risk. We identify what the risk is, the impacts to the organization, what the potential mitigation strategies are. And then we provide that to executives to make a business decision.

So when I did leave the organization for another role, they took me out for lunch and I thought it was pretty cool. The whole team got together and they created this amazing t-shirt and it says, “Team We Don’t Sign Shit.” So it worked, right? And that mindset’s still in place today. I have a chance to touch base with them often. Ask how they’re doing. And all of them said the same thing is that, yeah, it’s that mindset is still there where they’ve embraced the idea that security’s role is to identify the risk and present opportunities to mitigate, but not to accept the risk on behalf of the organization.

That was the whole context of where I I took this book is, wouldn’t it be great if we could finally get folks to recognize, no, we don’t sign shit. This isn’t our job.

Nathaniel Nelson
So Andrew, I get the idea here. tim isn’t the one who signs off on the risk. He identifies it and passes it on to business decision makers, but I don’t yet see where the passion for this issue comes from, like why this point in the process is such a big deal.

Andrew Ginter
Well, I can’t speak for Tim, but I’m fascinated by the topic because I see so many organizations doing this a different way. In my books, the people who decide how much budget industrial security gets should be the people ah making decisions about are these risks big enough to address today? Is this, is this ah a serious problem because they’re the ones that are are you know they have the the business context they can compare the the industrial risks to the the other risks the business is facing to the other needs of the business and make business decisions

When you have the wrong people making the decisions, you risk, there’s a real risk that you make the wrong decisions because the the people executing on industrial cybersecurity do not have the business knowledge of what the business needs. They don’t have the big picture of the business and the people with the big picture of the business do not have knowledge, the information about the risk and the mitigations and the costs. And so each of them is making the wrong decision. When you bring these people together and the people with the information convey it to the people with the business knowledge, now the people with the business knowledge can make the right decision for the business.

And again, the industrial team execute on it. If you have the wrong people making the decision, you risk making the wrong decision.

Andrew Ginter
So let me ask, I mean, you take a letter into an executive, you you you do this over and over again in lots of different organizations. How do how is that received? How do the executives react when you do that?

Tim McCreight
So, I mean, my standard approach has always been, and and I use this as my litmus test is if the role I play as a chief security officer or CISO, and you’re asking me to accept risk, I come back. And the the first question I’m going to ask is if this is the case and you’re asking me to do this on, I’m going to say, no, invariably the room gets really quiet.

People start recognizing, oh, he’s serious. Yeah. Cause I have no risk tolerance when it comes to work. I would be giving everybody like paper notebooks and crayons and I want it back at the end of the day So I don’t have any tolerance for risk. But to test my theory is when I ask executives, if you’re saying that my role is to sign off on this, then I’m not going to, does that stop the project?

It never does. So the goal then is to ensure that the executives understand it’s their decision, and it’s a business decision that has to be made, not a security decision because my decision is always going to be, I start with no and I’ll negotiate from there.

But when we look at what the process is that i’ve I’ve provided and others have followed is I’ll bring the letter with the recommendations to the business for them to review and to either accept the risk, sign off on it, or to find me an opportunity to reduce the risk.

That’s when I start getting attention from the executives. So it moves from shock to he’s serious to, okay, now we can understand what the risk is. Let’s walk through this as a business decision. That’s when you start making headway with executives is taking that approach.

Andrew Ginter
So, I mean, that that sounds simple, simple but in in my experience, what you said there is actually very deep. I mean, i’ve I’m on the end of a long career as well, and I’ve never been a CISO. And in hindsight, I come to realize that, bluntly, I’m not a very good manager.

Because when someone comes to me, it doesn’t matter, so any anyone outside the the my sphere of influence my scope of responsibility saying, hey, Andrew, can you do X for me?

Whenever one of my people comes to me with an idea saying, hey, we should do Y, my first instinct is, what a good idea. Yeah, yeah.

Whereas I know that strong managers, their first instinct is no. And now whoever’s coming at us with the request or with the idea has to justify it, has to give some business reasons.

Again, so that’s, this is this is deep. It’s a deep difference between between you and and people like me.

Tim McCreight
Yeah well, and it is, and there’s, don’t get me wrong. There’s an internal struggle every time when I’ve worked through these types of requests where I, I want to help people too, but, but I understand that the path you got to take and how you have to get business to understand it, accept it and move forward with it. It’s different, right? This is why some great friends of mine that I’ve known for years, and they were technical, they’re technically brilliant. They have some amazing skills. Like, honest to God, I stopped being a smart technical person long time ago, and I’ve relied on just wizards to help move the programs forward.

And, I’ve chatted with them as well, and then they’re similar to you, Andrew. they’ve They’ve got great technical skills. They’ve been doing this for a long time. And, one of the one of the folks I chatted with, they’re just like, I can’t I can’t give myself the lobotomy to get to that level. I’m like, oh, my God. Okay, fair enough.

And I get it, but the way I’ve always approached this, it’s different, right? So I i take myself out of the equation of always wanted to help everybody to how can I ensure that I’m reducing the risk?

And if I can get to those types of discussions and have them with executives, for me, that’s where I find the value. So all of the work I’ve done in my career to get to this space, the amazing folks that I’ve met along the way, the teams that I’ve helped build, the folks I still call on to, to to mentor me through situations,

It always comes down to, can I have a meaningful business discussion to talk about the risk? And then it takes away some of the emotional response. It takes away that immediate, I need to help everybody do everything because we can’t.

But it gives us a chance to focus on what the problem is. What’s the risk that we’re facing? How can we reduce that risk? And can we actually pull this off with the resources that we have? So yeah, I get it. Not everybody wants to sit in these chairs. I’ve met so many folks throughout my career that they keep looking at me going, Jesus, Tim, why would you ever want to be in that space?

Why would you ever accept the fact that you’re, that they’re trying to hold you accountable for breaches or or for events or incidents? And I challenge back with it from it, for me, it’s that opportunity to speak at a business language, to get the folks at the business level, to appreciate what we bring to the table, whether it’s in OT security, IT t or cyber, it physical or cyber, it’s,

It’s a chance for all of us to be represented at that table, at that level, but at a business focus. So for me, that’s why I kept looking for these opportunities is can I continue to move the message forward that we’re here to help, but let’s make sure we do it the right way.

Andrew Ginter
So, fascinating principles. Can you give me some examples? I mean, TaleCraft is about telling stories. Can you tell me a story? How did this work? How did it come about? What kind of stories are you telling here?

Tim McCreight
So there’s there’s a lot that i’ve I’ve presented over the years, but a really good one is I was working with Bell Canada many years ago. We had accepted the, we were awarded the communication contract and some of the advertising media supporting contracts for the Olympics for 2010 for Vancouver.

And I was working with an amazing team at Bell Canada. Doug Leese was on the team as well, reporting into the structure. So it was very cool to work with Doug on some of these projects. We decided that the team that was putting in place the communication structure decided they want to use the first instance of voice over IP, commercial voice over IP. It was called hosted IP telephony.

And it was from Nortel. If folks still remember Nortel, it was from Nortel Networks. We looked at the approach that they were taking, how we were going to be applying the the technology to the Olympic Village, et cetera.

Doug and the team, they did this amazing work when the risk assessment came across, but they were able to intercept a conversation decrypt the conversation and play it back as an MP4, like an MP3 file.

You could actually hear them talking. And it was at the time it was the CEO calling his executive assistant order lunch. And we had that recorded. You could actually hear it. It was just as if it was, they were speaking to you.

So that’s a problem when you’re trying to keep secure communications between endpoints in a communication path. We wrote up the risk assessment. We presented it to the executives. We we presented the report up to my chain and it was simple.

Here’s the risk. Here’s the mitigation strategy. We need a business decision for the path that we wanted to take. And that generated quite the stir. My boss got back to me and said, well, we have to change the report. No, I said, no, we don’t. We don’t change this shit. We just, you you move it forward.

We’ve objectively uncovered the risk. The team did a fantastic job. But here’s an attached recording. If you want to hear it, but let’s keep moving forward. So it went up to the next level of management and same thing. Would you alter report? No, no I would not.

Move on, move on. Finally got to the chief security officer. And I remember getting the phone call. It’s like, well, Tim, this is, this is going to cause concerns. No, it’s a business decision. It isn’t about concerns. This is a business decision. And what risk is the business willing to accept?

So he submitted the report forward. Next thing I’m getting a call from, an executive office assistant telling me that my flight is going to be made for the next day. I’ll be, I’ll be flying to present the report. Like, Jesus Christ. So, all right, I got on a plane headed out east.

Waited forever to talk to the CEO at the time. And all they asked all they asked was, it is this real? are you is Would you change this? I said, no, the risk is legitimate.

And here’s the resolution. Here’s the mitigation path. Here’s the strategy. So they asked how much we needed, what we needed for time. it was about six months worth of work with the folks at Nortel to fix the problem. And all of that to state that had we done this old school many years ago, we would have just accepted the risk and move forward with it.

That wasn’t our role. That’s not our job, right? In that whole path, that whole risk assessment needed to presented to the point where executives understood what could potentially happen. We already proved that it could, but they needed to understand here’s the mitigation strategy. We found a way to resolve it.

We need this additional funding time resources to fix the problem. So that That stuck with me. That was like almost 20 years, like that was over 20 years ago. And that stuck with me because had I, altered my report, had I taken away the risk, had he accepted it on behalf of the security team, we don’t know what could have happened to the transmissions back and forth at the Olympics.

But I do know that in following that process, you never read about anyone’s conversations being intercepted at the 2010 Olympics, did you? It works. The process works, but what it takes is an understanding that from a risk perspective, this is the path that we have to take.

It’s not ours to accept. You have to make sure you get that to the executives and let them make that decision. Those are the stories that we need folks to hear now, as we move into this next phase of developing the profession of security.

Andrew Ginter
So Nate, you might ask, the CEO had a conversation, intercepted ordering lunch. Is this worth, the the big deal that it turned into? And I discussed this offline with with Tim and what he came back with is was, Andrew, think about it. Imagine that you’re nine days into the 10-day Summer Olympics or two week, whatever it is.

And someone, pick someone, let’s say the Chinese intelligence is found to have been intercepting and listening in on all of the conversations between the various nations, teams, coaches in the various sports and their colleagues back in their home countries.

They’ve been listening in on them for the the whole Olympics. What would that do to the reputation of the Olympics? What would that do to the reputation of Bell Canada? This is a huge issue. It was a material cost to fix. It took six months and he didn’t say how many people and how much technology.

But this is not something that the security team could say, “Okay, we don’t have any budget to fix this, therefore we have to accept the risk.” That’s the wrong business decision.

When he escalated this, it went all the way up to the CEO who said, yeah, this needs to be fixed. Take the budget, fix it. We cannot accept this risk as a business. That’s ah a business decision the CEO could make. It’s not a business decision he could make with the budget authority that he had four levels down in the organization.

Andrew Ginter
So fascinating stuff. Again, I look forward to stories in in the book. But you mentioned stories at the very beginning when you introduced TaleCraft. Can you tell me more about TaleCraft? How does this this idea of storytelling dovetail with with the work you’re doing right now?

Tim McCreight
When I was first designing this idea of what TaleCraft could be, we reached out to a good friend of ours here in Calgary, Mike Daigle. He does some amazing work. He spent some time just dissecting what I’ve done in my career and what I’ve accomplished. More importantly, some of the things that he wanted to focus on from company perspective.

And one of the the parts he brought up, and this is how TaleCraft was created, the word tail was I i spend a significant amount of my time now telling stories and it’s to help educate and to inform and stories to influence and and to provide meaning and value to executives.

But the common theme for all of this has been this concept of telling a story. One of the things I found throughout my career is as security professionals move through the ranks, as they begin, junior levels, moving into their first role as management and moving into director positions and eventually chief positions, the principles and the concepts of being able to tell a story or to communicate effectively with executives,

I found that some of my peers weren’t doing a great job or they were, I don’t know about you, Andrew, but if you sit in a ah presentation that someone’s giving and if all you’re reading is the slide deck, Jesus, you could just send that to me. I got this. I don’t need to spend time watching you stagger through a slide deck or the slides that have a couple of thousand words on them that you’re expecting us to read from 40 feet away.

It doesn’t happen. So what really bothered me is that we started losing this skillset of being able to tell a story. And to effectively use the principles of storytelling to provide input to executives, to make decisions for things like budget or resourcing or allocating, staff resources, et cetera.

So that’s one of the things that we do at TaleCraft is we teach security professionals and others, the principle and the concept of storytelling and how the story arc, those three parts to a story arc that we learned as kids, the beginning of the story, the middle where the conflict occurs, the resolution, and finally the end of the story, when, when you’re closing off and heading back to the village, after you slayed the dragon, those three things that we have, we learned as kids, they still apply as an adult because we learn as human beings through stories. We have for hundreds of years, thousands of years, used oral history as a way to present a story from one generation to the next.

We can use the same skill sets when we’re talking to our executives, when we’re explaining a new technique to our team, or when we’re giving an update in the middle of an incident and how you’re going to react to the next problem and how you’re going to solve it.

Those principles exist. It’s reminding people of what the structure is, teaching people how to follow the story arc when they’re presenting their material, taking away the noise, the distractions and everything else that gets in the way when listening to a story, but focus on the human.

And that’s one of the things that we’re doing here Telegraph is we’re teaching people to be more human in their approach and the techniques work. I just, My wife is up in Edmonton doing a conference right now for the CIO c Conference for Canada.

And she actually asked me to, this is a first folks, for all those of you who are married, what what kind of a progress I’ve made. My wife actually asked if I could dissect her presentation and help her with it. I thought that was pretty amazing. We restructured it so that she was able to use props.

She brought in a medical smock and and a stethoscope to talk about one of the clients that she worked with. And it sounds like it worked because she got some referrals for folks in the audience and she’s spending time right now talking to more clients up in Edmonton. So yeah, I crossed my fingers I was going to get through that one and it seemed to have worked. But these principles of telling a story, if you have a chance to understand how a story works and you’re able to replicate that in a security environment, all of a sudden now you’re speaking from a human to a human.

You’re not bringing in technology. You’re not talking about controls. You’re not spewing off all of these different firewall rules that we have to go through. Nobody cares about that stuff. What they want to hear is what’s the story and can I link the story to risk?

And at the top end of that arc, can I provide you an opportunity to reduce the risk and then finish the story by asking for help? If we can do that, those types of presentations throughout my career, that’s when I’ve been the most successful is when I can focus on the story I need to tell, get the executives as part of it and focus on the human reaction to the problem that we have.

That’s one of the things that we’re teaching at TaleCraft.

Andrew Ginter
So that makes sense in principle. Let me let me ask you. I mean, I do a lot of presentations. I had an opportunity to present on a sort of an abstract topic at S4, which is the currently the world’s biggest OT security-focused conference. And, if you’re curious, it was the title was “Credibility Versus Likelihood.” So, again, a very sort of abstract, risky, risk-type topic.

And the the the advice I got from Dale Peterson, the organizer, was, “Andrew, I see your slides. You can’t just read the slides. You’ve got to come to this presentation armed with examples for every slide, for every second slide.”

Tim McCreight
Yep.

Andrew Ginter
“Get up there and tell stories.” so I would give examples. Sometimes they would be attack scenarios. is that is that the same kind of thing here?

Tim McCreight
It is, I think. you And congratulations for for being asked to present at that conference. That’s amazing. So so kudos to you. That’s that’s awesome, Andrew. That’s great to hear. But you’re right. You touched on one of the things that a lot of presentations lack is the credibility or how I view the person providing the presentation. Do they have the authority? Do I look at them as someone who’s experienced and understands it?

And you do that by telling the story and providing an example for, let’s say, an attack scenario where you saw how it unfolded, how you’re able to detect it, how are you able to contain it, eradicate it, recover back. Those are the stories that people want to hear because it makes it real for people. Providing nothing but a technical description of an attack or bringing out, us as an example, a CVE and breaking it down by different sections on a slide. Oh my God, I would probably poke my eye out with a fork.

But if you walk me through how you identified it, The work that you guys did to identify, to detect it, to contain it, to eradicate it, and then recover. it If you can walk me through those steps from a personal example that you’ve had, that to me is the story.

And that’s the part that gets compelling is now you’ve got someone who’s got real world experience, expertise in this particular problem. They were able to solve it and they provide to me in a story. So now I can pick up those parts. I’m going to remember that part of the presentation because you gave me a great example, which is really, you gave me a great story. Does that make sense?

Andrew Ginter
It does to a degree. Let me Let me distract you for a moment here. I’m not sure this is I’m not sure this is the same the same topic, but I’ve, again, i’ve I’ve written a bit on risk.

Tim McCreight
Okay.

Andrew Ginter
You know I’ve tried to teach people a bit about what what is risk, how do you manage risk in in especially critical infrastructure settings. And I find that a lot of risk assessment reports are, it seems to me not very useful. They’re not useful as tools to make business decisions.

You get a long list of, you still have 8,000 unpatched vulnerabilities in your your your OT environment. Any questions? To me what business decision makers understand more than a list of 8,000 vulnerabilities is attack scenarios.

And so what I’ve argued is that every risk assessment should finish or lead, if you wish, with a in In physical security, you’re you’re probably more familiar this than I am, the the concept of design basis threat, a description of the capable attack you must defeat. You’re designed to defeat with a high degree of confidence.

And you look at your existing security posture and decide this class of attack we defeat with a high degree of confidence. These attacks up here, we don’t have that high degree of confidence.

And and what I’ve argued you should tell the story. Go through one or two of these attack scenarios and say, here is an attack that we would not defeat with a high degree of confidence. Is it acceptable that this attack potential is out there? Is that an acceptable risk?

Is that Is that the kind of storytelling we’re talking about here, or have I drifted off into some other space?

Tim McCreight
No, I think you’ve actually applied the principles of telling a story to something as complex as identifying your particular response or your organization’s response to ah either an attack a attack scenario or a more sophisticated attack scenario. So no, I think you’ve you’ve nailed it.

What it does though, in the approach that you just talked about, It gives a few things to the business audience. One, you have a greater understanding of the assets that are in place and how they apply to the business environment, right? Whether it’s in a physical plant structure for OT or whether it’s a pipeline, et cetera.

If you understand the environment that is being targeted, understand the assets that are in place and the controls that you have there in place, that gives you greater a greater understanding and foundations for what is the potential risk.

By telling the story then of what a particular attack scenario looks like, And if you have a level of confidence that you’d be able to protect against it, you’d be able to walk through the different parts of the story arc.

This is the context of the attack. This is what the attack could look like. Here’s how we would try to resolve it if we can. And then here’s the closing actions that we would be focused on if the attack was either successful or unsuccessful.

So all of those things, I think, apply to the principles of telling a story. What you’ve given is a great example of how to take something that’s very technical or, the the typical risk assessment I’ve seen in my career where, that Andrew here, here’s your 200 page report, the last 10, last hundred pages are all the CVEs we found.

And let us know if you need any help. Well, that doesn’t help me. But if you walk me through a particular example where here is in this one set of infrastructure, we’re liable or we’re open to this type of attack.

I think that’s amazing because it gives the executives the story they need. You understand the assets. Here’s the risk. Here’s the potential impact. Here’s what we can and cannot do to defeat or defend against this.

And then we need your help if this is a risk that you can’t accept. So no, I think you’ve covered all parts of what would be an appropriate story arc for using that type of approach. And honest to God, if you could get more folks to include that in reports, I would love to see that because I’m like you, I i have read too many reports that don’t offer value.

But the description you just provided and the way we break it down, that offers huge value to executives moving forward.

Nathaniel Nelson
Tim’s spending a lot of time emphasizing the importance of storytelling in conveying security concepts to the people who make decisions. Andrew, in your experience, is this sort of thing something you think about a lot? Do frame your your information in the same ways that he’s talking about, or do you have a different sort of approach?

Andrew Ginter
This makes sense to me. it’s sort of a step beyond what I usually do. So I’m i’m very much thinking about what he’s done and and how to use it going forward. But just to give you an example, close to a decade ago, I came out with a report, the “Top 20 Cyber Attacks on Industrial Control Systems.”

And it wasn’t so much a report looking backwards saying what has happened. It’s a report looking at what’s possible, what kind of capabilities are out there. And I tried to put together a spectrum of attack scenarios with a spectrum of consequences. Some of the attacks were very simple to carry out and had almost no consequence.

Some of them were really difficult to carry out and would take you down hard and cost an organization billions of dollars or dozens of lives. And everything in between.

And I did that because, in my experience, business decision makers understand attack scenarios, better than they understand abstract numeric risk metrics or lists of vulnerabilities.

But I described it as attack scenarios. In hindsight, I think really… what I was doing there was telling some stories and, I need to update that report.

I’m going to do it by updating it to read in more of a storytelling style so that, people can hear stories about attacks that they do defeat reliably and why, and attacks that they probably will not defeat with a high degree of confidence and what will be the consequences so that they can make these business decisions.

Nathaniel Nelson
Yeah, and that sounds nice in theory, but then I’m imagining, you tell your nice story to someone in the position to make a decision with money and they come back to you and say, well, Andrew, your story is very nice, but why can’t we defeat all of these attack scenarios with the amount of money we’re giving you?

Nathaniel Nelson
What do you tell them at that point?

Andrew Ginter
That is a very common reaction, saying, “You’ve asked us where to draw the line. We draw the line above the most sophisticated attack, fix them all.” And then I explain what that’s going to cost.

They haven’t even really paid attention to the attack scenarios. They haven’t even asked me about the attack scenarios. I’ve just explained the concept of a spectrum. They said, yeah, put it on the very put the line on the top, fix them all. And then you have to explain the cost.

And they go, “Whoa. Okay, so what are these?” And they ask in more detail and you give them the simplest attack, the simplest story that you do not defeat with a high degree of confidence.

And you ask them, is that something we need to fix? And they say, “Yeah, that’s nasty. I could see that happening, fix that. What else do you got?” And you work up the chain and eventually you reach an attack scenario or two where they look at it and say, “That’s just weird.”

I mean, let me give you an extreme example. Imagine that a foreign power has either bribed or blackmailed every employee in a large company. What security program, what policy can this the the CEO put in place that will defend the organization? Well, there isn’t one. Your entire organization is working against you. Is that a credible threat? The business is probably going to say, no, this is why we have background checks.

A conspiracy that large, the government is going to, be you going to come in and, and and and arrest everyone. That’s not a credible threat. And so, the initial reaction might be, yeah, fix it all. Draw the line across the very top of the spectrum.

And when that becomes clear that you can’t do that, this is where you dig into the stories and they have to understand the the individual scenarios. And they will eventually draw the line and say, “These three here that you told me about, fix them.” The rest of them just don’t seem credible.

That’s the decision process that you need to to to go through. And you need to describe the attacks. And I think the right way to describe the attacks is is with storytelling.

Andrew Ginter
So, I mean, this all makes great sense to me. I mean, this is why I asked you to be a guest on the podcast. But let me ask you, a sort of the next level of detail at TaleCraft. If, I don’t know, a big business, a CISO, says, TaleCraft makes sense to me and they bring you in, what do you actually do? Do you do you run seminars? Do you review reports and give advice? what What does TaleCraft actually do if we if somebody engages with you?

Tim McCreight
So there are a couple of things that we can offer to organizations that bring us in that from a TaleCraft perspective. First, what we offer, let me talk about storytelling first. What we offer from the storytelling approach is we will go to the client site.

We will run workshops, anywhere from four-hour workshop to a two-day workshop. We will bring team members from the security group, as well as others that the security team interacts with. We’ll go over the principles of storytelling and the concepts of storytelling, how to be more mindful in your public speaking and in your preparation.

And we’ll spend the first day going through the theory and the concepts of telling a story and becoming a better public speaker. Then on the second day of the workshop, we we then ask all participants to stand up for up to 10 minutes and provide their stories.

At the end of each one of the sessions, we provide positive feedback and provide them opportunities to grow and experience more more storytelling opportunities. And then we close out the workshop We provide reports back to each of the individuals on how we observed them absorbing all of the content from day one, and then offer opportunities for individual mentoring and coaching along the way.

So that’s one of the first services we offer. The second, as we come into organizations, if a CISO or CSO contacts us and asks us for assistance, we can do everything from helping them redesign their security program using the principles of enterprise security risk management, review the current program that they have today, assess the maturity of the controls that they have in place, identify risks that are facing the organization at a strategic level. And then we can come in and help them map out and design path to greater maturity by assessing the culture of security across the organization as well, where we go out and interview stakeholders from across the organization, from different departments, different divisions, and different levels of employees in the organization and identify their perception of security, the value that security brings to the organization, and how the security team can become greater partners and trusted advisors to the company. That’s part of the work that we do at Telegram Security.

Andrew Ginter
I understand as well that you’re working with professional associations or or something. I mean, I know that in in Canada, there’s the Canadian Information Processing Society. It’s not security focused. Security is an aspect of information processing in in the IT space.

In Alberta, there’s APEGA, the Association for Professional Engineers, Geologists, Geophysicists. I would dearly love to see these professions embrace cybersecurity and establish professional standards for practitioners for what is considered acceptable practice so that there is sort of a minimum bar.

So tell me, you’re you’re working with these folks. what What is it that you’re doing? How’s that going?

Tim McCreight
Yeah, so this happened, I’ve been thinking about this for probably the last 20 some years, and it always bothered me that the security director, the CISO, et cetera, in an organization, if they did get a chance to come to a board meeting or to be invited to talk to executives, you got a 45 minute time slot. Most times it was less. You had a chance to drink the really good coffee, and then you were asked to leave the room, and that was your time.

Where your peers who were running other departments across the organization in legal, finance, HR, etc. They stayed the entire weekend to help map out the strategy for an organization. Yet we weren’t invited to that party.

And that kind of annoyed me for the last some years. So I took it upon myself to begin a journey and I brought some folks along with me. There’s about 15 of us now that are working on the concept of designing and developing the profession of security, focusing on Canada first, and then working through the Commonwealth model to all those countries that follow the Commonwealth parliamentary system.

And it it made sense to me. I couldn’t do much work when I was the president of ASIS 2023. I didn’t want to have any perceived conflict of interest or anything that I was doing. But what we looked at from this concept of designing the profession of security It’s an opportunity for thus those who call this our profession and want to be recognized as such to borrow some of the great work that KIPPS has done and that APEGA has done here in Alberta, KIPPS across the country, to recognize the path that they took, how they were recognized and established, how they developed their charters, et cetera.

So we’ve had an opportunity to chat with some folks from KIPPS, but also to look at the work that they’ve done. And I’ve had a chance to review APEGA and it made sense to me. So now, Spin forward to 2025. We have a group of individuals who are focused on designing and developing what we consider to be a model that will provide a professional designation for security professionals in Canada.

It’s an opportunity to demonstrate your expertise and your body of knowledge. It’s an opportunity to take all of the the designations that you’ve received from groups like ISC squared, ISACA, ASIS, et cetera, use them as stepping stones to the next level where you’re accepted as a professional designation so that a security designation, whatever we can land on for the post nominals would be recognized the same as an engineer or as a doctor or as potentially a lawyer.

It gives us the validation of our work that we do. It gives us the recognition of the value that security brings to an organization. And it ties together OT, IT, t cyber, physical, all of the different parts of makeup security. And it’s a chance for us to come under one umbrella. So the way I describe it is that, I’ve, For years, I said, I ran a department. It just happens to be security. Now we can say I’m a security professional and my expertise is in OT security or in forensics or in investigations or in a crime prevention through environmental design.

It gives us an umbrella designation for security and a chance to specialize. So a good friend of mine is a surgeon. He started off as a doctor and now he’s a thoracic surgeon. So whenever he recognizes himself is that, he’s a, he’s a doctor, my specialty is c thoracic surgery, and now he’s chief of thoracic surgery at Vancouver General Hospital. Super great guy, but the path he took was become a doctor, demonstrate your expertise, spend more time to create your specialty, focus on that, be recognized for that. And now that’s his designation.

I want to do the same here in Canada for security. The reason why is, look, you and I both know this, Andrew, and we’ve we’ve seen this. If I go do a risk assessment for a client or internally, and if I do a bad job, I just go to the next client.

But if we have a doctor or a lawyer who mishandles a file or mishandles an operation or is liable for their actions, they’re held accountable to it. We are not. What I want to be able to do is put in the standards that demonstrate the level of our expertise, that we’re held accountable for our actions, that we maintain our credentials throughout our career, that we’re able to give back to the profession of security, and that if something does happen, we’re actually accountable for the work that we do.

And think that’s important, right? like here in our new house, an engineer stamped our plans. He’s accountable for the work he did. Why can’t we have the same for security? I think we need to, because then that provides executives a greater understanding of how important the work that we do every day to secure your organization so that you can achieve your goals and objectives.

That that’s what I’ve been doing on the side of my desk for the past 20 years. I finally got some breathing room to do it now with a TaleCraft giving me the space to do it. So I’m, I’m looking forward to trying to roll this thing out between now and the end of the year, at least the structure of it, and then we engage more people to get their comments and their perceptions so that we’re trying to reflect and represent as many folks as we can across the security profession.

Andrew Ginter
Well, Tim, this has been tremendous. Again, I look forward to to your book. Hopefully you find some time to work on it. Before we let you go, can I ask you to sum up for us? What are the what what should we take away from from the discussion we’ve had in the in the episode here and and use it going forward?

Tim McCreight
Thank you for that. I appreciate it. And yeah, fingers crossed, I can get working on the book over the summertime. That’s my goal. But for this particular episode, I think a couple of things. One, as security professionals, it’s not our job to accept the risk. It’s our job to identify it, provide a mitigation strategy, and present it back to executives. So that’s that’s one of the things that I want to keep stressing for everybody. Our role is to be an advisor to the organization.

It’s not to accept the risk on behalf of the organization. Second is, We all have a story to tell. We all understand the value and the power of a story. We all see how important it is when we tell a story to our executives, to our leaders, to our teams, and to others.

You need to focus on those skill sets of how to tell a story, particularly in the role of security, because not everyone understands the value that we bring. and the second annual and then And the last point for me is that You need to continue to look for mentors, for instructors, for trainers who can offer you these skill sets and you can provide this type of training for you so that you can continue to build your career.

We can’t do this alone. but You need to make sure that you have an opportunity to reach out to folks that can help you, whether it’s looking at your security program and trying to build it on a risk-based approach or teaching people the value of telling a story and then applying those skills the next presentation you give to executives. If folks remember those things, that’d be terrific.

So for those folks listening to the podcast today, if those points resonate with you, and if you’re looking for opportunities to learn more about telling a story or how to be effective doing that, how to look at your program from a risk-based approach and how to find mentors that can help you in your career path, reach out to TaleCraft Security.

This is what we do. It’s our opportunity to give back to the profession of security, to help organizations build their security programs, and to grow the skill sets of people who want to learn more about telling a story, becoming a better security leader, or understanding the concepts of a risk-based approach to security.

That’s what we’re here at TaleCraft for us, to help, to give back, and to grow.

Nathaniel Nelson
Andrew, that seems to have done it with your interview with Tim. Do you have any final word you would like to say gazelle today?

Andrew Ginter
Yeah, I mean, I think this is a really important topic. I see way too many security teams saying, this is my budget. This is all I have budget to I do not have budget to solve that problem. Therefore, I will accept the risk of that problem. And, especially for new projects, for risks that that we’ve never considered before, you That is often the wrong decision.

When we have new kinds of decisions to make, we need to escalate those decisions to the people who assign budget. We need to tell those people stories so they understand the risk. We have to get the right information, the right stories to the right people so they can make the right decisions. Saying, I have no budget, therefore I’m going to accept the risk many times is the wrong decision for the business. And we cannot afford to be making those wrong decisions time and again.

As the threat environment becomes more dangerous, as consequences of of industrial cyber attacks increase, we need to be making the right decisions. And this seems an essential component of of making the right decisions.

Nathaniel Nelson
Well, thanks to Tim McCreight for that. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to every everyone out there listening.

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

October 20, 2025

IT & OT Relationship Management

October 20, 2025

Analyzing Recent NIS2 Regulations – OT security is changing

October 5, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post I don’t sign s**t – Episode 143 appeared first on Waterfall Security Solutions.

Secure Industrial Remote Access Solutions

Waterfall team — Thu, 28 Aug 2025 20:19:01 +0000

OT Insights CenterSecure Industrial Remote Access Solutions

Secure Industrial Remote Access Solutions

Industrial remote access enables secure, efficient connectivity to SCADA, PLCs, and other control systems, supporting maintenance, monitoring, and troubleshooting. Best practices include robust authentication, encryption, network segmentation, and compliance with standards like IEC 62443 and NIST, while solutions like Waterfall’s HERA provide zero-trust, reliable remote access for critical industrial operations.

Waterfall team

August 28, 2025

In today’s hyperconnected industrial world, remote access has become both a necessity and a risk. Organizations across manufacturing, energy, utilities, and critical infrastructure rely on remote connectivity to monitor systems, troubleshoot equipment, and enable vendor support without dispatching teams onsite. While this brings significant efficiency and cost benefits, it also introduces new security challenges. Unsecured or poorly managed remote connections can serve as entry points for cyberattacks, threatening operational continuity and even safety.

Industrial remote access, therefore, requires a comprehensive framework—one that balances the operational need for connectivity with rigorous security controls. This framework isn’t just about VPNs or firewalls; it encompasses identity management, secure protocols, granular access policies, and continuous monitoring, all tailored to the unique demands of operational technology (OT) environments.

Definition and Scope

What is Industrial Remote Access?
Industrial remote access refers to the secure ability to connect to industrial systems, equipment, and control environments—such as SCADA, PLCs, and HMIs—from distant locations. This connectivity enables operators, engineers, and vendors to monitor performance, troubleshoot issues, deploy updates, and maintain equipment without being physically present at the facility.

How it differs from IT Access

Unlike general IT remote access solutions (think remote desktop tools or corporate VPNs), industrial remote access must account for the unique requirements of operational technology (OT). OT systems prioritize availability, safety, and reliability over typical IT concerns like data confidentiality. While IT remote access is often focused on office productivity, industrial remote access deals with real-time processes, critical infrastructure, and potentially life-safety functions—making its risk profile significantly higher.

A Brief Historical Evolution

Remote access in industry began with direct connections—dial-up modems or leased lines that allowed engineers to reach specific machines. Over time, this evolved into VPN-based approaches and, more recently, cloud-enabled remote access platforms. Each step has increased flexibility and ease of use, but also expanded the attack surface. Today, modern solutions integrate identity and access management, encrypted communications, and continuous monitoring to strike a balance between connectivity and security.

Importance in Modern Manufacturing

Role in Industry 4.0 and Smart Manufacturing

Industrial remote access is a cornerstone of Industry 4.0, where interconnected devices, automation, and data-driven insights define the future of manufacturing. Smart factories depend on continuous access to machine data, predictive maintenance, and real-time monitoring—all of which require reliable and secure remote connectivity. Without industrial remote access, the promise of fully digitalized and adaptive manufacturing environments would remain out of reach.

Benefits for Modern Operations

The practical advantages of industrial remote access are compelling. Manufacturers can dramatically reduce downtime by enabling engineers to diagnose and resolve problems without waiting for travel or onsite presence. Remote updates and configuration changes cut costs while ensuring systems stay current with minimal disruption. Most importantly, operational efficiency improves when plants can be monitored and optimized from anywhere, allowing scarce engineering talent to support multiple sites simultaneously.

Adoption Rates Across Sectors

Adoption of industrial remote access has accelerated rapidly. According to industry surveys, more than 60% of manufacturers now use some form of remote access for equipment maintenance, with adoption highest in sectors like energy, automotive, and pharmaceuticals. The pandemic further accelerated this trend, as facilities sought safe ways to maintain continuity without sending large teams onsite. These adoption rates underscore that remote access is no longer a “nice-to-have,” but an operational necessity in competitive, modern manufacturing.

Key Stakeholders and Use Cases

Machine Builders and OEMs Providing Remote Support

Original Equipment Manufacturers (OEMs) and machine builders increasingly rely on remote access to deliver timely support for their equipment deployed at customer sites. Instead of dispatching technicians worldwide, OEMs can diagnose faults, apply software patches, and guide operators in real time. This not only enhances customer satisfaction but also opens opportunities for new service-based business models.

System Integrators and Remote Commissioning
System integrators play a critical role in setting up and maintaining industrial systems. With secure remote access, they can perform commissioning tasks, configure programmable logic controllers (PLCs), and troubleshoot integration issues without physically being onsite. This accelerates project timelines, lowers costs, and ensures quicker adaptation to client needs.

Plant Operators Monitoring Production Lines
For plant operators, remote access provides continuous visibility into production processes. Operators can track performance metrics, spot deviations, and intervene as necessary from any location. This level of oversight ensures not only higher productivity but also quicker response to emerging issues, which can prevent costly downtime and safety incidents.

Maintenance Teams and Preventive Care
Maintenance engineers benefit enormously from industrial remote access. With real-time monitoring, they can detect anomalies before failures occur, plan preventive maintenance, and conduct corrective interventions remotely when possible. This proactive approach extends equipment life, reduces unplanned outages, and optimizes spare parts management.

Technical Architecture and Components

Connection Methods

VPN Tunnels and Secure Connection Protocols

Virtual Private Networks (VPNs) are one of the most common methods for establishing secure remote connections to industrial environments. They create encrypted tunnels that shield data traffic between external users and internal control systems, helping to prevent unauthorized interception. When paired with industrial-grade firewalls and authentication controls, VPNs provide a strong security foundation for remote access.

Cellular Connectivity Options (4G/5G)

Cellular connections have become increasingly attractive for remote industrial sites where wired infrastructure is limited or unavailable. With the advent of 4G and especially 5G, industrial facilities can achieve low-latency, high-bandwidth connectivity suitable for real-time monitoring and even control tasks. However, security hardening and proper device management are critical to prevent exploitation of cellular endpoints.

Ethernet Solutions for Local and Wide Area Networks

Ethernet-based connections remain a cornerstone of industrial networking. Whether through local area networks (LANs) within a plant or wide area networks (WANs) linking multiple facilities, Ethernet provides reliable, high-speed data transfer for SCADA, PLCs, and other control devices. Segmenting industrial Ethernet networks into security zones and managing traffic with firewalls ensures safe integration of remote access capabilities.

Internet-Based Access Mechanisms

As Industry 4.0 pushes systems toward cloud integration, internet-based access has become more widespread. Technologies such as secure web gateways, remote desktop protocols (RDP), and vendor-provided cloud platforms enable access through standard internet connections. While highly flexible, these methods also broaden the attack surface, making robust encryption, authentication, and monitoring essential components of secure deployment.

Hardware Infrastructure

Edge Gateways

Industrial-Grade Remote Access Gateways

Edge gateways are specialized devices that serve as secure bridges between external networks and industrial control systems. Unlike generic IT routers, industrial-grade remote access gateways are built with features tailored for OT, such as deep protocol inspection, built-in encryption, and role-based access control. They form a critical first line of defense, ensuring that only authorized and authenticated connections reach sensitive equipment.

Ruggedized Design for Harsh Environments

Industrial environments often involve extreme temperatures, dust, vibration, or electrical noise—conditions that typical IT hardware cannot withstand. Ruggedized edge gateways are designed to operate reliably in these harsh settings, providing uninterrupted remote access even in mission-critical facilities such as oil rigs, power plants, or manufacturing floors. This resilience is essential to maintaining secure connectivity without compromising system uptime.

Integration Capabilities with Existing Infrastructure

One of the strengths of modern edge gateways is their ability to integrate seamlessly with existing industrial infrastructure. They support a wide range of industrial protocols (e.g., Modbus, OPC UA, PROFINET) and can connect legacy equipment to modern remote access frameworks. This makes them invaluable for organizations seeking to modernize their systems incrementally while maintaining backward compatibility with their operational technology.

Control Systems Integration

PLC Connectivity Options

Programmable Logic Controllers (PLCs) are at the heart of industrial automation, and enabling secure remote access to them is essential for monitoring, programming, and troubleshooting. Modern solutions offer connectivity through encrypted VPN tunnels, protocol-specific gateways, or cloud-based interfaces, ensuring engineers can manage PLCs without exposing them directly to the internet. This secure connectivity reduces the risk of unauthorized manipulation while allowing timely interventions.

HMI Remote Visualization Techniques

Human-Machine Interfaces (HMIs) provide operators with a window into industrial processes, and remote visualization extends this capability beyond the plant floor. Techniques such as web-based dashboards, thin-client applications, or secure remote desktop sessions allow engineers to view and interact with HMI screens from afar. When properly secured, this enables faster response times and decision-making without compromising the integrity of the control system.

Control Panel Access Methodologies

Traditional control panels house critical switches, indicators, and manual overrides. With remote access, these panels can be virtually replicated, giving authorized users the ability to monitor or control key functions securely. Methods range from digital twins to secure remote terminal access, which balance the need for operator flexibility with strict safeguards that prevent unsafe operations or accidental activations.

Remote Access Client Applications

Client applications are the user-facing software that enable engineers, operators, and saervice providers to establish secure connections to industrial assets. These lightweight tools often include multi-factor authentication, encryption, and role-based access to ensure that only authorized users can reach sensitive systems. A well-designed client simplifies the user experience while embedding strong security by default.

Server-Side Management Platforms

Behind every secure remote access solution lies a management platform that enforces policies, provisions users, and controls connectivity. These platforms often reside on-premises, in the cloud, or as hybrid solutions, and provide administrators with centralized visibility and governance. By managing sessions, configurations, and permissions from a single interface, they reduce complexity while strengthening compliance and security.

Authentication and Authorization Systems

Robust authentication and fine-grained authorization are the backbone of secure remote access. Beyond simple usernames and passwords, modern solutions employ multi-factor authentication (MFA), certificate-based access, and role-based control to ensure that users can only perform actions aligned with their responsibilities. In SCADA and industrial contexts, this limits the potential impact of compromised accounts or insider misuse.

Monitoring and Logging Tools

Visibility is essential in remote access environments, and monitoring and logging tools provide the audit trail needed for both security and operational oversight. These systems capture session details, command histories, and user activity, which can be analyzed for anomalies or compliance reporting. Real-time monitoring also enables rapid detection of unauthorized actions, helping to contain potential threats before they escalate.

Security Framework for Industrial Remote Access

Threat Landscape

Common Attack Vectors Targeting Industrial Systems

Industrial systems face attack vectors ranging from stolen credentials and phishing to compromised remote access tools and exploitation of unpatched software. Attackers frequently exploit weak authentication, exposed VPNs, and misconfigured firewalls to gain an initial foothold. Once inside, they may move laterally across the network to target control systems, disrupt operations, or exfiltrate sensitive data.

Documented Incidents and Case Studies

Real-world incidents highlight the risks of insecure remote access. For example, the 2021 Oldsmar water treatment facility breach involved an attacker remotely accessing operational systems and attempting to manipulate chemical levels in the water supply. Similarly, ransomware campaigns have locked out operators from remote monitoring systems, forcing costly shutdowns. These cases underscore the dangers of inadequate security controls.

Emerging Threats Specific to Remote Industrial Environments

As industrial environments increasingly rely on cloud-based connectivity, IoT devices, and mobile access, new threats emerge. Attackers are developing malware tailored to industrial protocols, exploiting insecure edge devices, and leveraging supply chain compromises to infiltrate trusted systems. The rise of ransomware-as-a-service and nation-state actors targeting critical infrastructure further amplifies the risk, making proactive defense measures essential.

Compliance and Standards

IEC 62443 Requirements for Remote Access

IEC 62443, the leading standard for industrial automation security, establishes strict requirements for secure remote access. It outlines measures such as strong authentication, session encryption, access control policies, and audit logging. Compliance ensures that remote connectivity to control systems is governed by the principle of least privilege and monitored to detect anomalies.

NIST Cybersecurity Framework Application

The NIST Cybersecurity Framework (CSF) provides a flexible model for managing risk in industrial environments, including remote access. By applying its five core functions—Identify, Protect, Detect, Respond, and Recover—organizations can align remote access strategies with broader cybersecurity goals. For example, the “Protect” function stresses identity management and access controls, while “Detect” highlights continuous monitoring of remote sessions.

Industry-Specific Regulations and Guidelines

Different industrial sectors have their own compliance mandates for remote access security. Energy companies must follow NERC CIP standards, while pharmaceutical manufacturers often adhere to FDA regulations for electronic records integrity. The oil and gas sector may face additional regional requirements. Aligning remote access practices with these sector-specific guidelines not only reduces risk but also ensures legal and regulatory compliance.

Certification Processes for Secure Remote Access Solutions

Vendors offering remote access technologies are increasingly seeking certifications to demonstrate compliance and trustworthiness. Certifications such as IEC 62443-4-2 for components or third-party security audits validate that solutions meet stringent cybersecurity requirements. For end-users, choosing certified solutions helps reduce vendor risk and provides assurance that the tools enabling remote access won’t become the weakest link in the control environment.

Securing industrial remote access is no longer optional—it’s essential for protecting operations, maintaining uptime, and safeguarding critical infrastructure. By implementing best practices across authentication, encryption, network segmentation, and monitoring, organizations can reduce risk while reaping the benefits of modern connectivity.

To see how these principles are applied in practice, explore Waterfall’s HERA remote access solution, a purpose-built platform that provides secure, reliable, and zero-trust remote connectivity for industrial systems.

Learn more about HERA and how it can safeguard your operations today.

About the author

Waterfall team

FAQs About Industrial Remote Access Solutions

What are Industrial Remote Access Solutions?

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

Waterfall team — Mon, 18 Aug 2025 08:29:50 +0000

OT Insights CenterNIS2 and the Cyber Resilience Act (CRA) – Episode 142

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

NIS2 legislation is late in many EU countries, and the new CRA applies to most suppliers of industrial / OT computerized and software products to the EU. Christina Kiefer, attorney at reuschlaw, walks us through what's new and what it means for vendors, as well as for owner / operators.

https://waterfall-security.com/wp-content/uploads/2025/10/christina_kiefer_stems_001-2.mp3

For more episodes, follow us on:

Share this podcast:

“So NIS2 is focusing on cybersecurity of entities, and the CRA is focusing on cybersecurity for products with digital elements.” – Christina Kiefer

Transcript of NIS2 and the Cyber Resilience Act (CRA) | Episode 142

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how’s going?

Andrew Ginter
I’m very well, thank you, Nate. Our guest today is Christina Kiefer. She is an Attorney at Law and a Senior Associate in the Digital Business Department of reuschlaw. And she’s going to be talking to us about cybersecurity regulation in the European Union. As we all know, NIST 2 is coming and there’s other stuff coming too.

Nathaniel Nelson
Then without further ado, here’s your conversation with Christina.

Andrew Ginter
Hello, Christina, and welcome to the podcast. ah Before we get started, can i ask you to say a few words, introduce yourself and your background, and tell us a bit about the good work that you’re doing at Reuschlaw.

Christina Kiefer
Yes, of course. So first of all, thank you very much for the invitation. I’m very happy to be in your podcast today. So, yeah, to me, my name is Christina Kiefer. I’m an attorney at law working as a senior associate at our digital business unit in the law firm reuschlaw.

Christina Kiefer
We are based in Germany and reuschlaw is one of Europe’s leading commercial law firms specialized in product law. And for more than 20 years, our team of approximately 30 experts has been advising companies in dynamic industries, both nationally but also internationally.

Christina Kiefer
And for me myself, in my daily work, I advise companies and also public institutions on yeah complex issues in the areas of data protection, cybersecurity, but also IT and contract law.

And one focus of my work is on supporting clients in introduction of digital products in the EU market. And also looking at the field of cybersecurity and IT law. Since my studies, I have already focused on IT law and cybersecurity. And yes, I have been involved in the legal development since since then in this area.

Andrew Ginter
Thank you for that. And our topic is, you know, the law in Europe for cybersecurity, its regulation. The big news in Europe is, of course, NIS2. And it’s not a law, it’s a directive to the the nation states to produce laws, to produce regulations. So every country is going to have its own laws. Can I ask you for an update? How’s that going? who’s Who’s got the law? I thought there was a deadline. do the do the Do the nations of Europe have this covered or or is it still coming?

Christina Kiefer
Yes, so it’s the last point, so it’s still coming. Some countries have already transposed NS2 Directive into national law, but also a lot of countries are still in the developing and the transposition yeah period.

And that that’s why we are yeah confusing because NIS2 Directive it’s already or has already been enforced since January 2023. and and also the deadline for the EU member states to impose the NIS2 directive international law was October 2024.

So because of that, because of a lot of member states haven’t transposed the NIS2 directive international law, the EU Commission has launched an infringement proceeding against 23 member states last fall in 2024. And this has led to some movements in some EU member states. So as of now, 10 countries have fully transposed this to international law.

So for example, Belgium, Finland, Greece or Italy. And then another 14 countries have published at least some draft legislation so far. And there you can call ah Bulgaria, Denmark and also Germany. And then there are also two countries, it’s Sweden and Austria, and those two EU member states, they have not published neither a draft or also a final national law. So there we have no public information available on their implementation status yet.

Andrew Ginter
And, you know, someone watching this from the outside with, you know, a command of English and of very limited command of German, is there sort of a standard place that a person like me looking at this from the outside could go to find all this stuff? Or is it on every country’s national website in a different language in a different location? Is is there any central repository of these rules?

Christina Kiefer
No, not yet at least. Maybe there will be some private websites where you can find all the different implementation information. But until until now, when you are a company, either you within the EU or also the EU, when you are providing your services into the EU market, you have to fulfill with the NIS2 directive. And this means you have to fulfill with the national laws in each EU member states.

And this is yeah a big challenge for all international companies because they have to check each national law of each EU member states and they have to check if they fall under the scope of application. And what is also very important that the different national laws have different obligations. So the NIS2 directive has a minimum standard which all national legislators have to fulfill But on top of this, some EU member states have imposed more obligations or ah portal for registration or new reporting obligations.

So you have to check for each EU member state. But here we can also help because we see in our daily work that this is a very, very hard yeah challenge for companies to check all the laws and also understand all the national laws. We offer a NIS2 implementation guide where you can get regularly updates on and an overview of how the different EU member states have transposed NIS2.

And yes, in addition to this, we also have a NIS2 reporting and obligation guide, especially looking at the reporting and registration obligations to see where you have to register in each EU member state, but guide So you can book our full guide, but we also post yeah some overviews on LinkedIn and our newsletter.

Andrew Ginter
So thanks for that. You touched on the yeah the the goal of NIS2 was to increase consistency among the nation states of Europe in terms of their cyber regulations, and in my understanding, to increase the strength of those regulations across the board. How’s that coming? Are the regulations that are coming out stronger than we saw with NIS2? And are they consistent?

Christina Kiefer
Well, it’s… correct that the idea behind NIS2 or the NIS2 directive was to create ah stronger and also more consistent cybersecurity framework across the whole EU and the EU market. And also the NIS2 directive should also cover a broad set of sectors for regulated companies. So there should be some consistency within the EU. but it’s an EU directive and not an EU regulation. So this means the NIS2 directive sets only a minimum standard to all EU member states that they can then transpose into national law. And that’s why EU member states are allowed also to go beyond if they want to. And some of the EU member states have already done this. this So what we’re seeing right now, looking at the national laws which have already been enacted and also looking at the draft of some national laws, we see quite a mixed picture. So we don’t see a whole consistency what a lot of companies were hoping for. We see more like a mixed picture with some countries like Belgium again, for example.

They have pretty much stuck to the core of the directive and haven’t added much on top. So there you are also for you as a company, you can ensure when you’re looking at this two directive or when you have already looked at this two directive, you can be yeah positive that you also fulfill the requirements of the law of Belgium. But on the other hand, looking for example, on Italy, they have expanded the the scope of application. So Italy has, for example, included a cultural sector as an additional regulated area. So the sector of culture hasn’t been mentioned in NIS2 directive at all. But Italy ah had the idea, well, we can regulate also the cultural sector. So that’s why they have also sort in yeah included it into their national law.

And also in France, you can see that they have imposed more obligations and also have broadened the scope of application of their national law. because here they have also widened up the regulated sectors and here they have added educational institutions, for example. We have a minimum set of standards set out in the NIS2 directive, but across the EU, looking at the national laws, we have a lot of national differences. And that’s why it’s very hard for companies to comply with the NIS2 directive or with the national laws within the EU market.

Nathaniel Nelson
One of the more interesting things that Christina mentioned there, Andrew, was Italy treating its cultural sector as like critical infrastructure, which sounds a little bit, it sounds very Italian, frankly.

Andrew Ginter
Well, I don’t know. It’s not just the Italians. The original, you know, this was back in the, I don’t know, the the late noughts. One of the original directives that came out of the American administration was… a list of critical infrastructures. And at the time it included something like national monuments as a critical infrastructure sector. And the justification was, you know, any monument or, you know, cultural institution that was that was seen as essential to national identity, national cohesions,

And then it disappeared in the 2013 update of what were ah critical national infrastructure. So it’s no longer on CISA’s list of critical infrastructures, but it used to be. And, you know, in terms of Italy, oh I don’t, you know, I don’t have a lot of information about Italy, but again, you might imagine that national monuments and certain cultural institutions are vital to sort of national identity. Think the Roman Colosseum. Should that be regarded as critical infrastructure? It’s certainly critical to tourism, that’s for sure. So that’s that’s what little I know about it.

Andrew Ginter
And in my recollection of NIS2, one of the changes was increased incident disclosure rules. Now, i’ve I’ve argued or I’ve speculated. we We did a threat report at Waterfall. We actually saw numbers sort of plateau in terms of incidents. I wonder, I speculate whether increased incident disclosure rules are in fact reducing disclosures because lawyers see that disclosing too much information can result in lawsuits. For instance, SolarWinds was sued for incorrect disclosures. And so they they i’m I’m guessing that that they… they yeah conclude that minimum disclosure is least risk. And if they get partway into an incident and say, this is not material, we don’t need to disclose it we’re not going to disclose it, we actually see fewer disclosures.

Can you talk about what’s happening with the the disclosure rules? are they How consistent are they? Multinational businesses, how many different ways do they have to file? And are we seeing greater disclosure or in your estimation, fewer disclosures because of these rules?

Christina Kiefer
Yeah, that’s a really good question and honestly it’s something we get also asked all the time right now because once we hear again all over if we operate in several and several EU countries do I need to report a security incident in one you member states or via one portal and then I’m fine or do I really have to report a security incident to each EU member states which is kind of affected with the with regard to the security incident.

And yeah, unfortunately, the answer right now is yes, you have to report your security incident to each EU member state or to each national authority of the EU member state, which you fall under the scope of the national law. Because the NIS2 directive does not really require one portal or one obligation registration and also a reporting portal for all EU member states. So it’s up to the national authorities and also up to the EU member states to regulate this field law. And you can see that many national authorities have already recognized this issue and they are also looking at ways to simplify the process of registration but also of reporting security incidents and there you can see some member states try to yeah at least include or to to set up a portal a national-wide portal where you can yeah report your security incident.

Some other national authorities go even further. They say they implement a yeah scheme or structure where you only have to report to them and then they will yeah transfer the report to the other relevant EU authorities. But again, this is each and in e in each EU member state national law, so then you also have to check again all the other national laws within the EU. Yes, but also the authorities of the EU member states have already, well, at least indicated that they are talking to each other. So maybe in the future we will get one portal to report everything. But as I said before, it’s not regulated in the NIS2 directive and is also not foreseen for now.

Yes, and to the other part of your question. You could think that when you’re obliged to report everything and each security incident that the reporting would decrease But you also have to look at a yeah at the at the risk of non-compliance and the risks are very high because the NIS2 directive is imposing high sanctions and also a lot of yeah authority measures, authority market measures. And that’s why in the daily consulting work, it’s better to say, please report an incident because also the national authorities communicate this to the companies. They say, please report something because then we can work together. So the focus of the national authorities, at least in Germany, we see right now is they want to cooperate together.

They want to ensure a cyber secure en environment and a cyber secure market. So the focus is to report something that they can yeah work on together and that’s why it would be better to report and I would say maybe we get also an increase of reporting.

Andrew Ginter
So I’m a little confused by your answer. the The rules that I’m a little bit familiar with are the American ah Securities and Exchange Commission rules. And those rules mandate that any material incident must be reported to the public, any incident that might cause a reasonable investor to either buy or sell or assign a value to shares in in a company.

Which means non-material incidents can be kept quiet. And the SEC disclosures are public. Everyone can see them because reasonable people need information to buy and sell shares. The NIS2 system, is it requiring all incidents to be reported? And are those reports public?

Christina Kiefer
That’s a good point. To your first part of your question, the NIS2 directive and also the reporting obligation is kind of the same as the regulation you mentioned before, because you have to report only severe security incidents. As a regulated company, you are obliged to check if there is a security incident in the first step and then the second step you have to check if there a severe security incident.

And only this security incident you are obliged to report to the national authorities. So that’s kind of the same structure or mechanism. And to the second part of your question, the report will not be published for everyone. So first of all, if you report it to national authorities, only the national authorities have the information. It can happen because we have in some Member States some laws where yeah people from the public can access or can get access to information, to public information. It can happen that some information will be publicly available. But the the first step is that you will only report it to the national authority and that the report will not be available for the public as such.

But next to the reporting obligation to the national authorities, you also have information obligations in the NIS2 directive. So it can happen that you are also obliged to inform the consumers of your services.

Andrew Ginter
So thanks for that. The other big news that I’m aware of in Europe is the CRA, which confuses me because I thought NIS2 was the big deal, yet there’s this other thing that sort of came at me out of the blue a year ago, and I’m going, what’s what’s going on? Can you introduce for us what is the CRA, and how’s it different from NIS2?

21:30.66
Christina Kiefer
Yeah, sure. So, as you mentioned before, the CRA is like the sister or brother and the second major piece. of the new European cybersecurity framework alongside the NIS2 Directive.

Christina Kiefer
It’s the Cyber Resilience Act, or for short CRA. And while the NIS2 Directive focuses on the cybersecurity requirements for businesses or entities in critical sectors, the CRA takes a different angle and the CRA introduces EU-wide cybersecurity rules for products.

So NIS2 is focusing on cybersecurity of entities and the CRA is focusing on cybersecurity for products with digital elements. And also the other difference is also that NIS2 directive, we have an EU directive, so it needs to be transposed into national law by each EU member state and the Cyber Resilience Act is an EU regulation So when the Resilience Act comes into force, it will apply directly in each EU member state.

Andrew Ginter
Okay, so that’s how the CRA fits into NIS2. What is the CRA? What are what are these rules? is it Can you give us a high-level summary?

Christina Kiefer
Yeah, sure. So the CRA is the EU-wide first horizontal regulation, which imposes cybersecurity rules for products with digital elements. So regulated are products with digital elements and this definition is very broad. It covers software and also hardware and also software and hardware components if they are yeah brought to the EU market separately. And products with digital elements are kind of like connected devices and as I said, software and hardware that can potentially pose a security risk. Also, what is very important, the CRA imposes obligations not only to manufacturers, but also to importers, distributors, and also to those companies which are not resident in the EU, because the main point for the geographical scope of application is that you place a product in the EU market, whether you are placed in the EU or not.

Christina Kiefer
So this means also that the Cyber Resilience Act, such as data and such as the General Data Protection Regulation, has a global impact impact for anyone selling tech products in Europe.

Andrew Ginter
So let me jump in real quick here, and Nate. What Christina‘s described here, oh you the CRA, the scope applies to all digital products sold in Europe. To me, this the CRA is, in my estimation, and she’s going to explain more in ah in a few minutes, it’s probably the strictest cybersecurity regulation for products generally in the whole world. it It sounds to me like this might become just like GDPR. This was ah a European regulation that came through a few years ago. It had to do with marketing and the use of private information, in particular my email and sending it. Basically, so it was like an anti-spam act. It’s the strictest in the world. And everybody who has any kind of worldwide customer base, which is almost everybody in the digital world that that’s sending out marketing emails, is now following the GDPR pretty much worldwide because it’s just too hard to apply one law in one country and one law in the other. So what you do is you pick the strictest that you have to comply with worldwide, which is the gp GDPR, and you do that. worldwide instead of trying to figure out what’s what. It sounds to me like the CRA could very well turn into that kind of thing. It might be the thing that all manufacturers that embed a CPU in their product have to follow worldwide because it’s just too hard to to change what they do in one country versus another.

Andrew Ginter
Okay, so can you dig a little deeper? I mean, an automobile, you buy a a ah new automobile from the from the dealership. My understanding is that it has 250, 300, maybe 325 CPUs in it, all of them running software. It would seem to me that ah a new automobile is covered by the CRA. what What are the obligations of the manufacturer? What should customers like me expect in automobiles that that might be different because of the CRA?

Christina Kiefer
Thank you. First of all, looking at your example, automobiles are not covered by the CRA, because the CRA some exemptions. And the CRA says, we are not regulating digital products with the digital elements, which are already regular regulated by specific product safety laws. And here, looking at the automotive sector, we have for sure in the EU very strong and very specialized regulation for product safety of cars and so on. So just for your example, but looking at other products with the chill elements, for example, wearables or headphones, smartphones, for example, you can say that there are kind of five core obligations for manufacturers in the CRA. So the first obligation is compliance with Annex 1, which means you have to fulfill a list of cybersecurity requirements. And you don’t only have to fulfill those cybersecurity requirements, but you also have declare and show compliance with Annex 1 of the CRA. So it’s a conformity assessment you have to undergo.

Christina Kiefer
The other application, number two, is cyber risk assessment. If you are a manufacturer of a product with digital digital elements, you are obliged to assess cyber risks and not only during the development and the construction of your product and also not only during the placing of your product to the EU market, but throughout the whole product life circle. So if you have a product and you have it already placed on the market, you are obliged to undergo cyber risk assessments. Then looking at the third obligation, it’s free security updates.

Christina Kiefer
So manufacturers have to provide free security updates throughout the expected product life cycle. We have also mandatory incident reporting. So we have here also reporting and registration obligations, such as we already talked about looking at the NISS2 directive. And also like in each product safety law in the EU, we also have the obligation for technical documentation. So this is of those are the five core obligations, compliance, cyber risk assessment, free security update, reporting and documentation.

Andrew Ginter
And you mentioned distributors. What are distributors and importers obliged to do?

Christina Kiefer
yeah there We have some graduated obligations. So they they are not such strict obligations such for manufacturers, but importers and distributors are obliged to assess if the product, what they are importing and distributing to the EU market are compliant with the whole set of cybersecurity requirements of the CRA. So they have to check if the manufacturer and the product is compliant and if not, They have to inform and yeah cooperate with the manufacturer to ensure cybersecurity compliance. But also importers are also obliged to yeah impose their own measures to to fu fulfill with the CRA.

Andrew Ginter
Okay, and you said there were five obligations. You spun through them quickly. Some of them make sense on their own. Do a risk assessment, do it from time to time, see if the risks have changed. That kind of makes sense. The first one, though, comply with Annex 1. That’s like an appendix to the CRA. What’s in there? what What are the obligations?

Christina Kiefer
Yes, sure. Annex 1 is, yeah the you can also say, Appendix 1 to the CRA. and And there are you can see there is a list of certain cybersecurity requirements which manufacturers have to fulfill. And the list is divided into two different main areas. And one area is cybersecurity requirements. So it focuses on no known vulnerabilit vulnerabilities at the time of the market placement, secure default configurations, protection against unauthorized access, ensuring confidentiality, integrity and availability, and also secure deletion and export of user data. So kind of all of cyber security requirements such as them which I have mentioned. And the other area is vulnerability management. So manufacturers have to ensure that they have a structured vulnerability management process and they have to yeah install a software bill of materials.

They have to provide free security updates. They have to undergo cybersecurity testing and assessments. there needs to be a process to publish information on resolved vulnerabilities. And again, here we also need a clear reporting channel for known vulnerabilities.

Andrew Ginter
So it sounds like you said that a manufacturer is not allowed to ship a product with known vulnerabilities. Practically speaking, how does that work? I mean, a lot of manufacturers in the industrial space use Linux under the hood. Linux is a million lines of code of kernel. And, you know, the, these devices don’t necessarily do a full desktop style Linux, but they still have a lot of code that they’re pulling from an open source distribution. And in these millions of lines of code, From time to time, people discover vulnerabilities and they get announced. And so it’s it’s almost a random process. Do I have to suspend shipments the day that a vulnerability a Linux vulnerability comes to light until I can get the thing patched and then three days later ah start shipments again? Practically speaking, how does this zero known vulnerabilities requirement work?

Christina Kiefer
Basically, it is like, as you said, because the Cyber Resilience Act focuses on known ah no known vulnerabilities not only in your product but also in the whole supply chain. So the Cyber Resilience Act focuses not only on products with digital elements but also focusing on the cybersecurity of the whole supply chain. So this means looking at Annex 1 and the cybersecurity requirements Products with digital elements may only be placed on the EU market if they don’t contain any known exploitable vulnerabilities. So it’s not any vulnerability, but it’s any known exploitable vulnerability. That is a clear requirement under Annex 1. And also when you’re looking at making a product available on a market, that doesn’t just mean selling it.

Christina Kiefer
It includes any kind of commercial activity. And also what is also a very good question also in our daily work, looking at making a product available on the market. A lot of companies say, well, I have a ah batch of products. So, and if I have placed this batch of products on the EU market, I have already placed product on the market. So I can also place the other products of this batch also in the future. But it is not correct, because looking at EU product safety law, the regulation is focusing on each product. So looking at these requirements, you can say, first of all you really have to check your own product, your own components, but also the products and the components you are using from the supply chain. And you have to check if there are any known exp exploitable vulnerabilities. So you have to yeah impose a process to check the known vulnerabilities and also to ah impose mechanisms to fix those vulnerabilities.

Christina Kiefer
And if you have products already on the market, you don’t have to recall them because first of all, it’s okay if you have a vulnerability management which is working and where you can fix those vulnerabilities. And when you have products already in the shipment process, there it’s up to each company to assess if they have to yeah recall products in the and the shipment process or if they say, okay, we leave it in the shipment process because we know we can fix the vulnerability within two or three days. So in the end, it’s kind of a risk-based approach and each company has to assess what measurements are yeah applicable and also necessary.

Andrew Ginter
So that that makes a little more sense. I mean, the Linux kernel and sort of core functions in my, but I don’t have the numbers, but I’m guessing that you’re going to see a vulnerability every week or two in that large set of software. And if that’s part of a router that you’re shipping or part of a firewall that you’re shipping or part of any kind of product that you’re shipping, Does it make sense that, you know, you discover the exploitable vulnerability on Thursday and you have to suspend shipment until, ah you know, three weeks out when you have incorporated the vulnerability in your build and you’ve repeated all of your product testing, which can be extensive.

Andrew Ginter
And by the time you’re ready to ship that fix, two other problems have been developed and now you have to, you can’t ship until, you know, it, It sounds like it’s not quite that strict. it’s not that That scenario sounds like nonsense to me. It just it would never work. You’re saying that there is some flexibility to do reasonable things to keep bringing product to market as long as you’re managing the vulnerabilities over time. Is is that fair?

Christina Kiefer
Yes, yes, that’s right. Because in the CRA we have a risk-based approach and also you have to… No, the basis for each measure you have to to impose under the CRA is your cyber risk assessment. So you have to check what kind of product am I using or am i manufacturing? Which kind of product am I right now placing on the EU market? What are the cybersecurity risks right now? And also what what are the specific cybersecurity risks of this known vulnerability?

Christina Kiefer
And then you have to check, have i do I have a process? Do I have a process imposing appropriate measures to to fix those vulnerabilities? And if I have appropriate measures, to fix the vulnerabilities in a timely manner, then it’s not the know you are not obliged to recall the product itself. But at the end, looking at a risk-based approach, it’s up to the decision of each company.

Andrew Ginter
So this is a lot of a lot of change in in for a lot of product vendors. Can I ask you, how’s it going? Is it working? Are are the vendors confused? can you Do you have any sort of insight in into how it’s going?

Christina Kiefer
Yeah, sure. So what we’re seeing right now, a lot of companies, both manufacturers, but also suppliers, are getting ahead of the curve when it comes to the Cyber Resilience Act, because they see that there is a change and there there will be new strict obligations, not only on manufacturers, but also in the whole supply chain. So suppliers, distributors, importers are also coming to us and asking if they are under the scope of the CRA. So this is the first point. If you’re a distributor or an importer, you already have to check if you and your company itself falls under the scope of the CIA. And if it is like this, then you are already obliged to ensure all the obligations of the CRA. But it can also happen that suppliers are under the scope of the CRA in an indirect manner.

Because ensuring all those new cybersecurity requirements from a manufacturer point of view, you have to ensure it within the whole supply chain. And the main instrument to ensure this was already in a future in a and the past and will also be in the future is contract management. So you have to impose or transpose all those new obligations to the suppliers via contract management. And there we see different reactions, but there’s definitely a growing awareness that cybersecurity needs to be addressed contractually, especially in relation to the CRA obligations. And yeah looking at contract negotiations, of course, we have some negotiations with the suppliers And one of the main points which is negotiated is the regulation of enforcement.

Christina Kiefer
Because when you have contractual management looking at cybersecurity requirements, you can not only yeah transpose those obligations to the suppliers, but you also have rules on enforcing those new contractual obligations. For example, contractual penalties. And there we see that contractual penalties often sparks some debate during negotiations. But to sum up, in practice, we’ve always been able to find a balanced solution that works for all parties involved.

Nathaniel Nelson
I suppose I could think about any number of potentially trivial electronics products, Andrew, but let’s say that I or my neighbor has ah a smart fridge, a fridge with a computer it. We generally assume that those devices don’t even really have security in mind at all. And a security update is like so far from the universe of how anyone would interact. with such a device and now we’re saying that that kind of thing is going to be regulated in these ways.

Andrew Ginter
I think the short answer is yes. You might ask, what good does this regulation do for a fridge? And, you know, I think about this sometimes. I think the answer is it depends. If, you know, a lot of the larger home appliances nowadays have touchscreens. There’s a CPU inside. There’s software inside. These are cyber devices. You might ask, well, when was the last time I updated the firmware in my fridge? How many times am I going to update the firmware in my fridge? Those are good questions. Most people never think about something like that. But the law might… you know, very reasonably apply to the fridge if the fridge is connected to the Internet so that I can see, for example, how much power my fridge is using on my cell phone app.

Isn’t that clever? But now I’ve connected the fridge to the Internet. We all know what what happened to, what was it, the Mirai botnet took over hundreds of thousands of Internet of Things devices and and used them as attack tools for denial of service attacks. If you’ve got an internet connected fridge, you risk that if you haven’t updated the software. Worse, if someone gets into your fridge, takes over the CPU, you could change the set point on the temperature and cause all your food to spoil. This is a safety risk.

Andrew Ginter
Again, how many consumers are going to update the software in their fridge? Realistically, I don’t think… You the majority of consumers will, even if there is a safety threat. To me, you know, the risk, this this is part of the risk assessment. If there’s a safety threat because of these vulnerabilities, you might well need to… I don’t know, auto-update the firmware. That might be part of your risk assessment so that the consumer doesn’t have to do it. Or better yet, design the fridge so that safety threats because of a compromised CPU are impossible, physically impossible. Make the the temperature setting manual or something. But this is this is a bigger problem than I think one regulation, the the the question of safety critical devices connected to the cloud.

Nathaniel Nelson
Yeah, admittedly, the the notion of a smart refrigerator safety threat isn’t totally resonating with me. And then we haven’t even discussed the matter of like, OK, let’s say that my refrigerator gets automatic updates or I just have to click a button in an app when it notifies me to do so to update my firmware. At some point, you know, fridges sit in houses for long periods of time. I can’t recall the last time that my fridge has been replaced. In that time, any manufacturer could go out of business. And then how do you get those updates, right?

Andrew Ginter
Exactly. So, you know, to me, but this is outside the scope of the CRA, but, you know, to answer your question, to me, the solution you know, two or threefold, we we need to design safety-critical consumer appliances in such a way that the unsafe conditions cannot be brought about by a cyber attack. I mean, we talk about, you know, fixing known vulnerabilities. That’s only one kind of vulnerability. What about zero days? There is, there’s there’s logically no way that someone can, you solve all zero days. It it It’s a nonsensical proposition. So there’s always going to be zero days. What if one is exploited and, you know, a million fridges set to a ah set point that that’s unsafe?

Andrew Ginter
To me, we’ve got to design the fridges differently, but that’s that’s sort of a different conversation. In fact, that’s the topic of my next book, but which is why I care so much about it. but but it’s These are important questions, and I think the CRA is a ah step in the direction of answering them, but I don’t know that it has all the answers.

Andrew Ginter
So work with me. you know, what, what you described there makes sense for, you know, manufacturers like, uh, IBM who can, you know, produce high volumes of, or, you know, Sony or the, the big fish. But, you know, if I’m a small manufacturer, I produce a thousand devices a year. I buy components for these devices. I buy software for these devices from big names like Sony and Microsoft and Oracle. And, you know, I go to Oracle and say, you must meet my contract requirements or I won’t buy my thousand products from you at a cost of $89 a product. Oracle is going to say, take a flying leap. We’re not signing your contract. Is this realistic?

Christina Kiefer
Yes, and we see this also in practice because we are not only consulting the big manufacturers but are also the smaller companies in the supply chain. And there you can have different approaches because when you are buying products from the big companies, First of all, you have to know that they are or they might be obliged also under the CRA. So they are fulfilling all those new cybersecurity requirements. And you also have to take it though there you also have to check their contracts because there you can see already they have a lot of new regulations looking at cybersecurity, either if it’s implemented into the the general contractual documents or implemented into one cybersecurity appendix.

So you see all the companies are looking at the Cyber Resilience Act and then they are taking measures and also looking at their contract management. So if you are lucky enough, you can see, okay, they have a contract which is already regulating all the obligations under the CIA. And then if it’s not like this, We take the approach that we establish a cybersecurity appendix. So when you’re already a contractual relationship with the big players, you don’t have to negotiate the whole contract from the beginning. You can only show them your appendix and then on on basis of this appendix, you can discuss the cybersecurity requirements. So this is kind of a approach which has helped also smaller companies in the market.

Andrew Ginter
So you gave the example of of headphones and smartphones. For the record, does this apply to industrial products as well? I mean, our our listeners care about programmable logic controllers and steam turbines that have embedded computer components, or is it strictly a ah consumer goods rule? Now, and this is a very important point to highlight, the Cyber Resilience Act explicitly applies not only to consumer products but also to products in the B2B sector. so this means that all software and all hardware products along with any related remote data processing solutions fall under the scope of the CRA, either in B2C or also in B2B relationships.

Andrew Ginter
Well, Christina, thank you so much for joining us. Before we let you go, can I ask you, can you sum up for our listeners? What are the the key messages to take away to understand about what’s happening with cyber regulations, both NISU and CRA in Europe, and and what we should be doing about them as both consumers and manufacturers?

Christina Kiefer
Yeah, sure, of course. So let me give you a quick recap. So first of all, you see the EU legislature is tightening the cybersecurity requirements significantly with both the NIS2 directive and also the Cyber Resilience Act. And the new requirements affect any company that offers products or services to the EU market, no matter where they are based. So it is it has a very broad scope of application. Looking at the NIS2 directive, it’s very important to know that the NIS2 directive is already enforced, but it has to be transposed into national law, which has not been fulfilled by all EU member states, and that the national implementation across the EU is still quite varied.

Looking at the Cyber Resilience Act, the CRA brings new security obligations to products with digital elements, so for all software, for all hardware products. And it also is focusing not only on cybersecurity on products, but also in the whole supply chain. So both frameworks require companies to take proactive steps right now, looking at risk assessment, risk management, reporting, and also contract management, particularly when it comes to managing their supply chain. So looking at the short implementation deadlines ahead, both from the NIS2 Directive and also the CIA, it’s very important for companies to act now. And the first step we consult to do is to identify the relevant laws, because we have a lot of new regulations looking at digital products and digital services. So, yeah first of all, check the relevant laws and the relevant obligations which are applicable to your business.

And here we offer a free NIS2 quick check and also a free CRA quick check where you can just click through the different questions to see if you are under the scope of NIS2 and CRA. And then after all, when you clarified that you are affected on the one or both of the new regulations, the company needs to review and adopt their cybersecurity processes, both technically and also organizationally. So it’s very crucial to continuously monitor and ensure compliance with the ongoing legal requirements, especially also looking at contract management and focusing on the supply chain. And yeah, there we can help national but also international companies with kind of a 360 degree approach to cybersecurity compliance because we enter ensure solutions with the range from product development and marketing to reporting and market measures. So, yeah, we we give companies ah practical and also actionable guidance in ah in an every step way.

So looking at the first step to to act and yeah to identify the relevant laws and obligations to your business, companies can yeah visit our free NIS2 QuickCheck and our free CRA QuickCheck, which is available under nist2-check.com and also And yeah, if you have any further question, you are free and invited to write to me via email via LinkedIn. Yeah, I’m happy to connect. And thank you very much for the invitation.

Nathaniel Nelson
Andrew, that just about concludes your interview with Christina Kiefer. And maybe for a last word today, we could just talk about what all of these rules mean practically for businesses out there because, you know, it’s one thing to mention this rule and that rule in a podcast, but sounds like kind of stuff we’re talking about here is going to mean a lot of work for a lot of people in the future.

Andrew Ginter
I agree completely. It sounds like a lot of new work and a lot of new risk, both for the critical infrastructure entities that are covered by NIST or by the local laws, especially for for businesses, the larger businesses that are active in multiple jurisdictions, and certainly for any manufacturer who wants to sell anything remotely CPU-like into the the the European market. It sounds like a lot of work, but I have some hope that it’s also, because it’s such a lot of work, it’s also a business opportunity. And we’re going to see entrepreneurs and service providers and even technology providers out there providing services and tools that will automate more and more of this stuff so that not every manufacturer and every critical infrastructure provider can. in the European Union or in the world selling to the European Union. Not every one of them has to invent all of this the the answers to these these new rules by themselves.

Nathaniel Nelson
Well, thank you to Christina for elucidating all of this for us. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

SCADA Security Fundamentals

August 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post NIS2 and the Cyber Resilience Act (CRA) – Episode 142 appeared first on Waterfall Security Solutions.

SCADA Security Fundamentals

Waterfall team — Thu, 14 Aug 2025 11:42:40 +0000

OT Insights CenterSCADA Security Fundamentals

SCADA Security Fundamentals

SCADA security protects industrial control systems from cyber and operational threats through access controls, encryption, monitoring, governance, and regulatory compliance. Learn how best practices and Waterfall Security solutions safeguard critical infrastructure. Ask ChatGPT

Waterfall team

August 14, 2025

SCADA systems, or Supervisory Control and Data Acquisition systems, are at the heart of modern industrial operations, controlling everything from power plants and water treatment facilities to manufacturing lines and transportation networks. While they keep critical infrastructure running efficiently, SCADA systems are also increasingly exposed to cyber threats due to greater connectivity and digital integration. Understanding the fundamentals of SCADA security is essential for protecting industrial operations, ensuring safety, and maintaining operational continuity.

Understanding SCADA Systems in Security Context

A SCADA system typically includes several key components:

Central control servers that process and manage data
Human-Machine Interfaces (HMIs) that allow operators to monitor and control processes
Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) that collect data from field devices and execute commands
Communication networks connecting the central system with remote devices
These components work together to provide real-time monitoring, automation, and reporting across industrial environments, forming the backbone of critical infrastructure operations.

The evolution of SCADA architecture from isolated to networked environments

Originally, SCADA systems were isolated, often using proprietary protocols and physically separated networks, which naturally limited cyber risks. Over time, they have become increasingly networked, connecting to corporate IT systems, the internet, and cloud platforms to enable remote monitoring and analytics. While this connectivity improves efficiency and operational insight, it also introduces new attack surfaces and vulnerabilities that must be addressed with modern cybersecurity measures.

Critical infrastructure sectors relying on SCADA systems

SCADA systems are essential across multiple critical infrastructure sectors:

Energy: Power generation, transmission, and oil & gas refineries rely on SCADA for stability and control.
Water and Wastewater: Treatment plants use SCADA to monitor chemical levels, flow rates, and system health.
Manufacturing and Industrial Production: Automated production lines and robotics are coordinated through SCADA for efficiency.
Transportation and Logistics: Rail networks, traffic systems, and ports use SCADA for safe and timely operations.
A compromise in any of these sectors can have wide-reaching operational, economic, and safety consequences.

Critical infrastructure sectors relying on SCADA systems

Operational technology (OT) vs. information technology (IT) security paradigms

SCADA systems fall under the broader category of OT, which focuses on physical processes and operational continuity. Unlike IT systems, which prioritize data confidentiality and integrity, OT emphasizes safety, uptime, and real-time reliability. Security strategies for SCADA must account for this difference, ensuring that protective measures do not disrupt critical processes while still defending against cyber threats.

Security implications of legacy SCADA implementations

Many SCADA environments still operate on legacy hardware and software that were not designed with modern cybersecurity in mind. These older systems often have outdated protocols, limited patching capabilities, and weak authentication, making them prime targets for attackers. Securing legacy SCADA implementations requires careful risk assessment, network segmentation, and compensating controls that protect industrial operations without interrupting critical processes.

SCADA Components and Security Considerations

SCADA systems consist of multiple interconnected components—HMIs, PLCs, RTUs, data acquisition servers, and communication networks—that collectively monitor and control industrial processes. Each component presents unique security considerations, from physical access control to software vulnerabilities and network exposure. Ensuring the security of SCADA requires a holistic approach that addresses both cyber and physical threats while maintaining operational continuity.

Human-Machine Interface (HMI) security vulnerabilities

HMIs provide operators with a visual interface to monitor and control industrial processes, but they can also be a target for cyberattacks. Vulnerabilities include weak authentication, unpatched software, and susceptibility to malware, which can allow attackers to manipulate displayed data, issue unauthorized commands, or gain a foothold in the broader SCADA network. Securing HMIs involves strong authentication, regular updates, and network isolation to reduce exposure.

Programmable Logic Controllers (PLCs) attack vectors
PLCs are responsible for executing automated control logic and directly interacting with machinery. Attack vectors targeting PLCs include unauthorized access via default credentials, firmware vulnerabilities, and malicious commands injected through network connections. Compromising a PLC can result in process disruption, equipment damage, or unsafe operating conditions. Protecting PLCs requires strict access controls, firmware management, and monitoring for anomalous activity.

Remote Terminal Units (RTUs) security challenges
RTUs collect data from field devices and relay commands between the central system and industrial processes. Because they are often deployed in remote or exposed locations, RTUs face both physical and cyber threats. Challenges include unsecured communication links, outdated firmware, and tampering risk. Mitigation strategies include encrypted communications, physical protection, and secure configuration management.

Data acquisition servers and historian security
Data acquisition servers and historians store and manage process data from SCADA systems, providing analytics and historical records. These servers are attractive targets for attackers seeking operational intelligence or the ability to manipulate data. Security considerations include regular software updates, strong authentication, network segmentation, and continuous monitoring to ensure data integrity and prevent unauthorized access.

Communication protocols security weaknesses
SCADA systems often use specialized protocols like Modbus, DNP3, and OPC, which were designed for reliability and performance rather than security. Many lack built-in encryption or authentication, making them susceptible to interception, spoofing, or replay attacks. Securing communication protocols involves implementing encryption where possible, network segmentation, intrusion detection, and monitoring for unusual traffic patterns to protect data integrity and operational reliability.

The Threat Landscape for SCADA Environments

Nation-state actors targeting critical infrastructure
Nation-state actors often target SCADA systems as part of strategic cyber operations aimed at critical infrastructure. By exploiting vulnerabilities in industrial control systems, these attackers can disrupt power grids, water treatment facilities, or manufacturing operations, potentially causing widespread economic and societal impact. Protecting SCADA from such threats requires advanced threat intelligence, continuous monitoring, and collaboration with government and industry partners to detect and respond to sophisticated, state-sponsored attacks.

Cybercriminal motivations for attacking SCADA systems
Cybercriminals may target SCADA systems for financial gain, such as demanding ransom through ransomware attacks, stealing sensitive operational data, or manipulating industrial processes for profit. Unlike nation-state attacks, these intrusions are often opportunistic, taking advantage of weak security measures or unpatched systems. Strengthening SCADA security against cybercriminals involves implementing strict access controls, patch management, network segmentation, and continuous monitoring to prevent unauthorized access and operational disruptions.

Hacktivism and SCADA systems as political targets
Hacktivists may target SCADA systems to make a political statement, raise awareness of social causes, or disrupt public services to attract attention. These attacks often aim to demonstrate vulnerability rather than achieve financial gain, but they can still have serious operational and safety consequences. Protecting SCADA from hacktivism requires both robust cybersecurity measures—such as intrusion detection, secure remote access, and anomaly monitoring—and proactive communication and incident response planning to minimize impact.

Notable SCADA Security Incidents

Over the past decade, several high-profile cyberattacks have highlighted the vulnerabilities of SCADA systems and the potentially severe consequences of a breach. From malware targeting industrial equipment to coordinated attacks on national infrastructure, these incidents demonstrate why securing SCADA environments is critical for operational safety, public welfare, and national security.

Stuxnet and its implications for industrial security
Stuxnet, discovered in 2010, was a sophisticated malware specifically designed to target Iranian nuclear enrichment facilities. It exploited vulnerabilities in PLCs to manipulate centrifuge operations while hiding its activity from operators. Stuxnet demonstrated that cyberattacks could cause physical damage to industrial equipment, marking a turning point in awareness of ICS and SCADA security. Its legacy emphasizes the need for strong network segmentation, rigorous patch management, and monitoring of operational anomalies to detect and prevent similar attacks.

Ukrainian power grid attacks
In 2015 and 2016, Ukraine experienced cyberattacks that targeted its power grid, leading to widespread blackouts affecting hundreds of thousands of people. Attackers compromised SCADA systems to manipulate breakers and disrupt electricity distribution, highlighting the vulnerability of critical infrastructure to coordinated cyber operations. These incidents underscore the importance of access controls, real-time monitoring, incident response planning, and collaboration with national security authorities to protect industrial operations from both cybercriminals and nation-state actors.

Water treatment facility breaches
Water treatment facilities have also been targeted by attackers seeking to manipulate chemical dosing or disrupt water supply systems. These breaches demonstrate how SCADA vulnerabilities can have direct public health consequences. Security measures such as robust authentication, network segmentation, physical security, and continuous monitoring are essential to safeguard water treatment operations and prevent potentially life-threatening outcomes from cyber intrusions.

SCADA Security Architecture and Controls

Defense-in-Depth Strategies for SCADA
Securing SCADA systems requires a defense-in-depth approach, which layers multiple security measures to protect industrial control systems from both cyber and physical threats. By combining preventive, detective, and responsive controls across all components, organizations can reduce the risk of compromise and minimize the impact of any potential breach.

Multi-Layered Security Approach for Industrial Control Systems
A multi-layered security strategy ensures that if one control fails, others continue to protect critical operations. This approach includes endpoint security for devices, network protections, access controls, monitoring systems, and incident response procedures. Layering defenses helps address diverse threats, from malware and insider attacks to physical tampering, while maintaining operational continuity.

Network Segmentation and Security Zones Implementation
Segmenting SCADA networks into distinct zones—such as separating field devices from corporate IT networks—reduces the attack surface and limits the spread of malware or unauthorized access. Security zones allow organizations to apply tailored policies and monitoring based on the criticality and risk profile of each segment, enhancing both operational safety and cybersecurity resilience.

Air Gap Considerations and Limitations in Modern Environments
Air-gapping—physically isolating SCADA networks from external connections—can provide strong protection against remote attacks. However, in modern industrial environments, remote monitoring, cloud analytics, and third-party integrations often make strict air-gaps impractical. Organizations must balance isolation with operational needs, supplementing partial air-gaps with strong authentication, encrypted communications, and rigorous monitoring.

Demilitarized Zones (DMZ) for SCADA Networks
DMZs act as buffer zones between SCADA networks and external systems, such as corporate IT networks or the internet. By placing intermediary servers and firewalls in the DMZ, organizations can control and inspect data flow, preventing direct access to critical industrial systems while still allowing necessary information exchange. DMZs are a key component of layered defense, reducing exposure to external threats.

Security Monitoring Across Defense Layers
Continuous monitoring is essential for detecting anomalies, intrusions, or unauthorized activity across all layers of SCADA defense. This includes monitoring network traffic, device behavior, access logs, and operational metrics. Effective monitoring enables rapid detection and response, ensuring that threats are mitigated before they can disrupt critical processes or cause physical damage.

Access Control and Authentication

Role-Based Access Control for SCADA Operations
Role-based access control (RBAC) assigns permissions based on job functions, ensuring that operators, engineers, and administrators only access the SCADA functions necessary for their roles. Implementing RBAC reduces the likelihood of human error, limits exposure of sensitive controls, and simplifies auditing and compliance. Regular review of role assignments is essential to maintain security as personnel and responsibilities change.

Multi-Factor Authentication Implementation Challenges
Multi-factor authentication (MFA) strengthens SCADA security by requiring additional verification beyond passwords, such as tokens or biometrics. However, implementing MFA in industrial environments can be challenging due to legacy systems, operational uptime requirements, and remote access needs. Balancing usability with security is critical to ensure that MFA does not disrupt time-sensitive control processes.

Privileged Access Management for Critical SCADA Functions
Privileged accounts control key SCADA operations and present significant risk if mismanaged. Effective privileged access management involves monitoring account activity, limiting the number of privileged users, enforcing strong password policies, and conducting regular audits. These practices prevent unauthorized changes to control logic and reduce the risk of insider threats or credential compromise.

Authentication Mechanisms for Field Devices
Field devices like PLCs, RTUs, and sensors require secure authentication to prevent unauthorized command injection or manipulation. Strong authentication mechanisms—including unique credentials, device certificates, and secure firmware—ensure that only trusted devices can communicate with the SCADA network, protecting the integrity of industrial processes.

Managing Vendor and Contractor Access to SCADA Systems
Vendors and contractors often need temporary access for maintenance, updates, or troubleshooting. Proper access management includes time-limited accounts, supervised sessions, detailed logging, and adherence to organizational security policies. Controlling third-party access is essential to prevent external breaches and maintain overall SCADA security.

Encryption and Data Protection

Protecting data in SCADA systems is essential for maintaining operational integrity and preventing unauthorized access or manipulation. Encryption and other data protection measures help ensure that sensitive information—whether in transit, at rest, or within device configurations—remains confidential and trustworthy.

Protocol Encryption Considerations for SCADA Communications
SCADA systems often rely on specialized protocols like Modbus, DNP3, or OPC, which were not designed with security in mind. Encrypting communications between devices, servers, and HMIs is critical to prevent interception, tampering, or replay attacks. Implementing encryption must balance security with real-time performance, as delays can affect operational processes.

Key Management Challenges in Distributed Environments
Managing cryptographic keys across distributed SCADA networks is complex. Field devices may have limited processing capabilities, and remote locations can make key distribution or rotation difficult. Secure key management practices—including automated key provisioning, rotation policies, and secure storage—are vital to maintaining the effectiveness of encryption across the network.

Data Integrity Verification Mechanisms
Ensuring that SCADA data remains accurate and unaltered is critical for operational safety. Mechanisms like checksums, digital signatures, and hash functions can detect tampering or corruption in sensor readings, command instructions, and historical records. Implementing integrity verification helps prevent attackers from manipulating operational data to cause unsafe conditions.

Secure Storage of SCADA Configuration and Historical Data
SCADA systems rely on configuration files, control logic, and historical process data to operate effectively. Protecting this data through encryption, access controls, and regular backups ensures that it cannot be tampered with or lost. Secure storage also supports disaster recovery and forensic investigations in the event of a security incident.

Cryptographic Controls Appropriate for Resource-Constrained Devices
Many SCADA field devices have limited computational resources, which can make standard cryptographic algorithms impractical. Lightweight cryptographic controls, optimized for low-power and low-memory environments, allow these devices to maintain data confidentiality and integrity without degrading performance or responsiveness. Choosing the right cryptography for resource-constrained devices is a key consideration in SCADA security.

Security Monitoring and Incident Response

Continuous monitoring and proactive incident response are essential for protecting SCADA systems from cyber threats. By observing system behavior in real time, organizations can quickly detect anomalies, identify potential attacks, and respond before operational disruptions occur. A structured approach to monitoring and incident response helps ensure the reliability, safety, and integrity of industrial control operations.

Security Information and Event Management (SIEM) for SCADA
SIEM solutions collect and analyze logs and events from SCADA devices, networks, and applications to provide centralized visibility into potential security incidents. By correlating data across multiple sources, SIEM systems can detect unusual patterns, alert operators to suspicious activity, and support forensic investigations. Integrating SIEM with SCADA networks enhances threat detection and accelerates incident response.

Operational Technology-Specific Monitoring Requirements
Monitoring SCADA systems requires OT-specific strategies that account for real-time processes, legacy devices, and specialized protocols. Unlike traditional IT environments, SCADA monitoring must minimize disruption to operations while detecting both cyber and physical anomalies. This includes tracking device behavior, network traffic, command sequences, and environmental data to identify potential threats.

Baseline Establishment for Normal SCADA Operations
Establishing a baseline of normal SCADA activity is critical for identifying deviations that may indicate cyberattacks or operational issues. This baseline includes typical network traffic patterns, device communication behavior, command sequences, and process metrics. Continuous comparison against the baseline allows security teams to quickly detect and investigate anomalies, improving both threat detection and operational reliability.

Security Governance for Industrial Control Systems

Effective governance ensures that SCADA security is not an afterthought but an integral part of industrial operations. By defining clear policies, roles, and processes, organizations can systematically manage risk, maintain compliance, and embed security throughout the SCADA lifecycle.

Security Policies Specific to SCADA Environments
SCADA-specific security policies provide guidelines for protecting industrial control systems, covering areas such as access control, network segmentation, patch management, and incident response. These policies establish consistent expectations for staff, vendors, and contractors, ensuring that operational and cybersecurity requirements are aligned.

Roles and Responsibilities in SCADA Security Management
Clearly defined roles and responsibilities are critical to prevent gaps in SCADA security. Operators, engineers, IT/OT security teams, and management must understand their specific duties—ranging from system monitoring to vulnerability remediation—to maintain the integrity and safety of industrial processes. Accountability and communication across teams strengthen overall security posture.

Change Management Procedures for Control Systems
SCADA systems require controlled and documented changes to hardware, software, and configurations to prevent unintended disruptions or security vulnerabilities. Formal change management procedures ensure that updates, patches, or system modifications are reviewed, tested, and approved before implementation, reducing operational risks and maintaining compliance.

Security Metrics and Key Performance Indicators
Tracking security metrics and KPIs allows organizations to measure the effectiveness of SCADA security programs. Metrics may include incident response times, patch deployment rates, access violations, and anomaly detection frequency. Regularly reviewing these indicators helps identify weaknesses, prioritize improvements, and demonstrate regulatory compliance.

Integration of Security into SCADA Lifecycle Management
Security should be integrated at every stage of the SCADA lifecycle, from design and procurement to operation and decommissioning. Incorporating security considerations early—such as secure device selection, network architecture planning, and ongoing monitoring—ensures that protection is embedded rather than retrofitted, enhancing resilience against cyber and operational threats.

Compliance and Standards

Adhering to industry standards and regulatory requirements is critical for ensuring SCADA security, operational reliability, and legal compliance. These frameworks provide guidance for risk management, access control, monitoring, and incident response, helping organizations protect industrial control systems against evolving threats.

IEC 62443 (Formerly ISA99) for Industrial Automation
IEC 62443 is a widely recognized international standard for the cybersecurity of industrial automation and control systems. It covers the entire lifecycle of SCADA systems, including secure design, development, operation, and maintenance. IEC 62443 provides guidelines for risk assessment, network segmentation, access control, and supplier security, offering a comprehensive framework for securing industrial environments.

NERC CIP Requirements for Energy Sector SCADA
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards establish mandatory cybersecurity requirements for the energy sector. These standards focus on protecting bulk electric systems, including SCADA networks, by enforcing strict controls over access, monitoring, incident response, and system recovery. Compliance with NERC CIP is essential for energy providers to ensure reliable and secure power delivery.

NIST Special Publication 800-82 Implementation
NIST SP 800-82 provides guidance on applying the NIST Cybersecurity Framework to industrial control systems, including SCADA. It outlines strategies for protecting OT environments, integrating IT and OT security practices, and managing risk in operational contexts. Organizations can use this publication to develop security policies, deploy appropriate controls, and strengthen resilience against cyber threats.

Industry-Specific Regulatory Requirements
Beyond international and national standards, many industries have sector-specific regulations that impact SCADA security. For example, water utilities may need to comply with EPA regulations, healthcare facilities must adhere to HIPAA requirements, and manufacturing plants may follow ISO 27001 for information security. Understanding and implementing these requirements ensures both compliance and the protection of critical infrastructure.

Security Awareness and Training

Human factors play a critical role in SCADA security. Even the most advanced technical controls can be undermined by untrained personnel or poor security practices. Building awareness and providing targeted training ensures that all staff understand the risks and act in ways that protect industrial control systems.

Operator Training for Security-Conscious Operations
Operators are on the front lines of SCADA system management, monitoring processes and responding to alerts. Security-focused training helps them recognize suspicious activity, understand secure operational procedures, and respond effectively to potential incidents without compromising operational continuity. Well-trained operators are a key line of defense against both accidental and malicious threats.

Engineering Staff Security Awareness Programs
Engineering teams design, maintain, and update SCADA systems, making them critical to overall security. Awareness programs for engineers emphasize secure coding, configuration best practices, vulnerability management, and compliance with relevant standards. By embedding security knowledge into engineering practices, organizations reduce the risk of exploitable system weaknesses.

Security Culture Development in Operational Technology Environments
A strong security culture in OT environments promotes shared responsibility, proactive risk management, and consistent adherence to policies. Encouraging collaboration between IT, OT, and operational staff fosters an environment where security considerations are integrated into daily decision-making, helping prevent breaches and maintain resilient SCADA operations.

Some Final Thoughts

Securing SCADA systems is no longer optional—it’s a critical requirement for protecting industrial operations, critical infrastructure, and public safety. From access control and encryption to monitoring, governance, and regulatory compliance, a layered and proactive approach is essential to defend against evolving cyber threats. By implementing best practices and leveraging advanced solutions, organizations can safeguard their SCADA environments while maintaining operational continuity.

To see how Waterfall Security’s specialized SCADA protection solutions can help defend your industrial control systems, contact us today.

About the author

Waterfall team

FAQs About SCADA Security

What is SCADA Security?

What is OT Network Monitoring?

Waterfall team — Thu, 14 Aug 2025 11:42:29 +0000

OT Insights CenterWhat is OT Network Monitoring?

What is OT Network Monitoring?

OT network monitoring is essential for keeping industrial systems safe, reliable, and compliant. It requires specialized tools and strategies tailored to unique protocols, legacy equipment, and strict uptime demands. Effective monitoring improves visibility, detects threats early, supports compliance, and enables operational optimization—all while balancing security with continuous process control.

Waterfall team

August 14, 2025

Understanding OT Network Monitoring

In today’s hyper-connected industrial world, the heartbeat of factories, power plants, transportation hubs, and water treatment facilities is no longer just mechanical—it’s digital. These environments depend on Operational Technology (OT) networks to keep processes running safely, reliably, and efficiently. But as cyber threats grow more sophisticated and downtime becomes more costly, simply “trusting” your systems to operate as intended is no longer an option. Continuous OT network monitoring has emerged as a critical safeguard—helping organizations detect anomalies before they escalate into safety incidents, production stoppages, or costly equipment failures.

Definition and Importance

What Are OT Networks?

Operational Technology networks are the communication backbones of industrial control systems (ICS). They connect sensors, controllers, actuators, and other devices that directly monitor and control physical processes. Whether it’s a PLC adjusting a chemical feed rate in a treatment plant or a SCADA system regulating voltage on a power grid, OT networks bridge the cyber and physical worlds—where even small disruptions can have large-scale consequences.

What is OT network monitoring?
OT network monitoring is the continuous observation, analysis, and reporting of traffic, device behavior, and system performance across industrial networks. Unlike a one-time audit or periodic check, monitoring is an ongoing process—providing operators and security teams with real-time visibility into what’s happening across their industrial assets. The goal is to spot deviations, intrusions, misconfigurations, or malfunctions early enough to prevent safety hazards, unplanned downtime, or regulatory violations.

Why monitoring is essential
In industrial environments, the stakes are higher than in most corporate IT networks. An undetected fault or cyber intrusion in an OT system can lead to physical damage, environmental harm, or even loss of life. Continuous monitoring helps maintain operational continuity by:

Detecting anomalies before they cause process disruption
Enabling rapid incident response to minimize downtime
Supporting compliance with safety and cybersecurity regulations
Preserving the reliability and lifespan of critical assets

How OT monitoring differs from IT monitoring
While both IT and OT network monitoring aim to ensure secure, reliable operations, their priorities and constraints are markedly different. IT monitoring focuses heavily on data confidentiality, network uptime, and user access control. In contrast, OT monitoring emphasizes safety, system availability, and process integrity—often in environments where downtime is unacceptable and changes must be carefully tested before deployment. Additionally, OT networks often run on legacy protocols, proprietary systems, and equipment designed decades ago—requiring specialized tools and approaches that standard IT monitoring solutions can’t handle without risking operational disruption.

The Evolution of OT Network Monitoring

Historical context of industrial control systems monitoring

In the not-so-distant past, most industrial control systems (ICS) operated in tightly controlled, air-gapped environments. These systems weren’t connected to corporate networks—let alone the internet—and monitoring was often limited to local diagnostics or manual inspection by on-site engineers. Security risks were mostly physical: unauthorized access to a control room or tampering with equipment. The idea of a remote cyberattack was, for most operators, a theoretical threat rather than an operational concern.

Shift from air-gapped systems to connected OT environments

That changed as industrial facilities embraced digital transformation. To improve efficiency, reduce costs, and enable remote management, organizations began linking OT environments to corporate IT networks, suppliers, and even cloud services. This shift brought undeniable benefits—real-time data sharing, predictive maintenance, and centralized control—but also opened a new and much wider attack surface. Threat actors no longer needed physical access; they could exploit vulnerabilities from halfway around the world.

Impact of Industry 4.0 and IIoT on monitoring requirements

The arrival of Industry 4.0 and the Industrial Internet of Things (IIoT) has taken OT connectivity to an entirely new level. Advanced analytics platforms, AI-driven optimization, and a proliferation of smart devices have transformed OT environments into highly dynamic, data-rich ecosystems. Monitoring requirements have grown exponentially—not only must organizations track traditional ICS traffic, but they must also manage vast flows of sensor data, device-to-device communications, and edge-to-cloud interactions. The sheer volume and diversity of connections demand more sophisticated monitoring tools capable of deep protocol inspection, anomaly detection, and contextual alerting.

Growing convergence between IT and OT networks and its monitoring implications

As IT and OT networks become increasingly intertwined, the line between them blurs. This convergence has significant implications for monitoring strategies. IT monitoring tools excel at tracking data integrity and cyber hygiene, while OT monitoring prioritizes process continuity and safety. Today’s industrial operators must integrate these perspectives—merging security event monitoring, performance tracking, and incident response into a single, coordinated approach. Done right, convergence can improve visibility across the enterprise. Done poorly, it can create blind spots that leave critical systems vulnerable.

Key Components of OT Network Monitoring

At the physical layer, OT network monitoring begins with the hardware devices embedded in the industrial environment. Sensors capture process data such as temperature, pressure, flow rates, and vibration levels—feeding this information into controllers like PLCs (Programmable Logic Controllers) or RTUs (Remote Terminal Units). These controllers manage real-time process logic, while gateways act as secure bridges between isolated OT systems and external networks, translating data across different protocols. In a monitoring context, these devices often host or support passive taps and probes, enabling the collection of network traffic and system performance data without disrupting live operations.

Software elements (monitoring platforms, analytics engines)

On top of the hardware layer, software platforms provide the brains of OT monitoring. These solutions gather raw data from field devices, parse industrial protocols, and present the information through dashboards, alarms, and reports. Advanced analytics engines can detect anomalies by comparing live data against baselines, identifying subtle patterns that may indicate equipment malfunctions or cyber intrusions. Increasingly, these platforms leverage AI and machine learning to provide predictive insights—alerting operators to problems before they manifest on the plant floor.

Communication protocols specific to industrial environments

OT networks operate on a very different set of communication standards than traditional IT systems. Protocols such as Modbus, DNP3, Profinet, EtherNet/IP, and OPC UA are purpose-built for deterministic, real-time control rather than security. While these protocols excel at ensuring consistent process operation, many lack built-in authentication or encryption, making them susceptible to eavesdropping and manipulation if left unprotected.

Effective OT monitoring tools must not only “speak” these protocols fluently, but also inspect them deeply for irregularities without interrupting time-sensitive communications.

Integration points with existing industrial control systems

No monitoring solution exists in isolation—it must integrate seamlessly with existing ICS infrastructure, including SCADA systems, distributed control systems (DCS), and safety instrumented systems (SIS). Integration ensures that monitoring tools can correlate network activity with operational events, allowing operators to understand whether a network anomaly is a harmless configuration change or a potential threat to process integrity. This tight coupling between monitoring and control systems enables faster, more accurate decision-making and helps maintain the delicate balance between security, performance, and safety in OT environments.

Objectives of OT Network Monitoring

Ensuring operational reliability and uptime

In industrial environments, downtime isn’t just inconvenient—it’s expensive, potentially dangerous, and damaging to reputation. OT network monitoring helps maintain system availability by continuously tracking device health, network performance, and control logic execution. By identifying early signs of equipment stress, communication bottlenecks, or misconfigurations, monitoring tools enable operators to intervene before small issues escalate into full-blown outages.

Detecting anomalies and potential security threats

Modern OT networks face a dual threat landscape: accidental faults caused by human error or equipment failure, and deliberate attacks from cyber adversaries. Effective monitoring acts as a 24/7 security guard—detecting abnormal traffic patterns, unauthorized device connections, or deviations from established operational baselines. Whether the anomaly is a misfiring sensor or an intrusion attempt exploiting a legacy protocol, rapid detection is critical for containing the impact and preserving safety.

Supporting compliance with industry regulations

From NERC CIP in the power sector to ISA/IEC 62443 in general industrial control environments, compliance requirements are becoming more stringent. OT network monitoring provides the data logs, audit trails, and real-time oversight needed to meet these standards. Beyond avoiding fines, compliance-driven monitoring ensures that security practices are not just theoretical policies but actively enforced operational controls.

Providing visibility into industrial processes and network performance

You can’t manage what you can’t see. OT network monitoring delivers deep visibility into both process-level and network-level activity—allowing operators to correlate production events with network behaviors. This transparency helps pinpoint the root cause of issues, improve troubleshooting efficiency, and ensure that process outcomes match expected performance parameters.

Enabling predictive maintenance and operational optimization

The same monitoring data that flags problems can also be used to predict and prevent them. By analyzing long-term trends in device behavior and network traffic, operators can identify components that are degrading, schedule maintenance before failure, and optimize process efficiency. Predictive insights not only extend equipment lifespan but also reduce costs associated with emergency repairs and unplanned downtime.

Enabling predictive maintenance and operational optimization

OT Network Monitoring Implementation and Technologies

Implementing OT network monitoring is not simply a matter of installing new tools—it’s a strategic process that must align with an organization’s operational priorities, security policies, and existing industrial infrastructure. From selecting the right hardware probes and protocol analyzers to integrating advanced software platforms and analytics engines, every step must be tailored to the unique requirements of the OT environment. The technologies that power monitoring—ranging from passive network taps to AI-driven anomaly detection—must work seamlessly together to provide comprehensive visibility without disrupting critical processes. In this section, we’ll explore the practical steps, architectures, and enabling technologies that make effective OT monitoring possible.

Monitoring Technologies and Tools

Specialized OT network monitoring platforms

Unlike traditional IT monitoring tools, OT-specific platforms are designed to understand industrial protocols, device types, and operational priorities. They offer deep packet inspection tailored to ICS communications, real-time process visualization, and alerting that reflects the unique safety and uptime requirements of industrial environments.

Industrial protocol analyzers

These tools decode and interpret proprietary or specialized communication protocols such as Modbus, DNP3, Profinet, and OPC UA. By understanding the context and function of each packet, protocol analyzers can identify anomalies like unexpected commands, malformed messages, or unauthorized configuration changes—issues that generic network analyzers might overlook.

SPAN port configuration for traffic mirroring

Switch Port Analyzer (SPAN) or port mirroring is a common method for capturing OT network traffic without interfering with live operations. By duplicating data from a selected port or VLAN to a monitoring device, operators can passively observe communications, detect anomalies, and maintain security without introducing latency or downtime.

Intrusion detection systems (IDS) for OT environments

An IDS in an OT context is tuned to recognize threats against both network infrastructure and industrial processes. It detects malicious traffic, suspicious control commands, and protocol misuse, often with preloaded threat intelligence specific to ICS vulnerabilities. Passive IDS deployment ensures security visibility without impacting system availability.

Security information and event management (SIEM) integration

Integrating OT monitoring data into a SIEM platform provides centralized visibility across both IT and OT environments. This convergence enables unified incident detection, correlation, and response—bridging the gap between enterprise security operations and plant-floor monitoring teams.

Asset visibility and inventory management tools

Accurate, real-time knowledge of every device on the network is essential for effective monitoring. Asset visibility tools automatically discover connected OT devices, record their firmware versions and configurations, and track changes over time—supporting vulnerability management and compliance efforts.

Network Segmentation in OT Monitoring

Importance of OT network segmentation for security and monitoring

In industrial environments, segmentation is one of the most effective ways to reduce risk and improve monitoring accuracy. By dividing the OT network into smaller, controlled segments, operators can contain potential threats, limit the impact of misconfigurations, and make it easier to identify abnormal traffic patterns. Segmentation not only improves security but also enhances monitoring efficiency—allowing tools to focus on specific areas of the network where baselines and behaviors are easier to define.

Zone-based monitoring approaches

Zone-based monitoring organizes OT systems into functional or security zones—such as safety systems, control systems, and corporate access points—each with its own tailored monitoring policies. This approach ensures that high-criticality zones (like safety instrumented systems) receive stricter oversight, while less critical zones can operate with more flexible monitoring rules. By assigning dedicated monitoring resources to each zone, operators gain more granular visibility and can respond faster to localized anomalies.

Purdue Model implementation for monitoring strategy

The Purdue Enterprise Reference Architecture (PERA) provides a layered framework for segmenting industrial networks, from the enterprise layer (Level 4) down to the physical process layer (Level 0). Applying the Purdue Model to monitoring strategies ensures that each layer—whether it’s ERP systems, SCADA networks, or field devices—has dedicated monitoring points and security controls. This structured approach helps correlate events across layers and prevents threats from moving laterally between operational and business systems.

Segmentation techniques specific to industrial environments

Industrial segmentation often requires more than traditional VLANs or firewalls. Techniques such as data diodes, unidirectional gateways, and protocol-specific filtering are used to control traffic flow while maintaining real-time process communications. These methods are designed with the deterministic nature of OT traffic in mind, ensuring that security measures do not introduce latency or disrupt time-sensitive operations.

Monitoring traffic between segments and zones

Segmentation alone is not enough—visibility into the traffic that moves between segments is critical. Monitoring inter-zone communications helps detect unauthorized connections, unusual data flows, or attempted breaches of segmentation controls. This is especially important in IT–OT convergence points, where attackers may try to use corporate networks as a gateway into industrial systems. Placing monitoring tools at these chokepoints ensures both security and operational continuity.

Threat Detection Capabilities

OT-specific threat detection mechanisms

Industrial environments require threat detection methods that understand the unique protocols, device types, and operational priorities of OT systems. Unlike IT-focused tools, OT-specific detection mechanisms can interpret commands to PLCs, SCADA servers, and RTUs, differentiating between legitimate process changes and malicious activity. These solutions are tailored to the deterministic nature of industrial traffic, allowing them to spot subtle but dangerous deviations that general-purpose cybersecurity tools might miss.

Anomaly detection in industrial control systems

Anomaly detection works by establishing a baseline of “normal” network and process behavior, then flagging deviations from that baseline. In OT environments, anomalies could include unexpected changes in control logic, abnormal device communications, or sensor readings that don’t match expected process conditions. Because many OT attacks exploit process manipulation rather than traditional malware, anomaly detection is a critical layer in identifying early warning signs before damage occurs.

Behavioral analysis for identifying operational irregularities

Behavioral analysis digs deeper into how devices, users, and processes interact over time. It can reveal irregularities such as operators issuing commands outside normal work hours, machines starting or stopping unexpectedly, or repeated failed login attempts to control systems. By correlating these behaviors across multiple data sources, monitoring platforms can detect suspicious patterns that indicate insider threats, compromised credentials, or process misuse.

Signature-based detection for known threats

Signature-based detection compares observed traffic and files against a database of known malicious patterns, such as specific malware payloads, exploit attempts, or command sequences. In OT networks, these signatures may include known exploits targeting industrial protocols or specific vendor equipment vulnerabilities. While this method is effective for identifying recognized threats, it must be paired with behavioral and anomaly-based approaches to catch novel or modified attacks.

Zero-day vulnerability monitoring approaches

Zero-day threats—attacks that exploit vulnerabilities not yet disclosed or patched—pose a significant risk to OT systems, especially those running legacy equipment. Monitoring for zero-day attacks often relies on heuristics, advanced anomaly detection, and machine learning models that can recognize malicious intent based on suspicious activity patterns rather than known signatures. These proactive methods help detect and contain emerging threats before attackers can cause operational disruption or safety incidents.

Visualization and Reporting

Network topology mapping for OT environments

A clear, accurate map of the OT network is the foundation of effective monitoring. Topology mapping tools automatically discover devices, communication paths, and protocol usage—presenting them in a visual layout that reflects the actual physical and logical structure of the network. In OT environments, these maps help operators understand dependencies between assets, identify unauthorized devices, and pinpoint exactly where anomalies occur within the process control architecture.

Real-time dashboards for operational visibility

Dashboards transform raw monitoring data into actionable insights, giving operators instant awareness of network health, device status, and process performance. In OT environments, real-time dashboards often display critical KPIs like latency, packet loss, and PLC status alongside production metrics, allowing plant and security teams to make informed decisions on the spot. Customizable views let different roles—engineers, security analysts, managers—see the information most relevant to their responsibilities.

Alert management and prioritization

With hundreds or even thousands of events occurring daily in a large OT environment, alert fatigue is a real concern. Effective monitoring systems prioritize alerts based on risk level, operational impact, and asset criticality—ensuring that safety-related or production-threatening events are escalated immediately, while lower-priority notifications are logged for later review. Intelligent alert correlation can also group related events, helping teams focus on the root cause rather than chasing symptoms.

Reporting capabilities for compliance and auditing

Regulatory frameworks such as NERC CIP, ISA/IEC 62443, and sector-specific safety standards require detailed evidence of monitoring activities. Reporting tools generate structured outputs that document network changes, security incidents, and system availability over time. Automated reporting ensures compliance documentation is always up to date, reducing the burden on operational teams while providing auditors with clear, verifiable records.

Historical data analysis and trend identification

Long-term monitoring data is a valuable asset for improving both security and operational performance. By analyzing historical trends, organizations can identify recurring issues, spot gradual performance degradation, and assess the effectiveness of past remediation efforts. In OT environments, trend analysis can also reveal seasonal patterns, workload fluctuations, or process inefficiencies—information that can be used to refine maintenance schedules and optimize resource allocation.

Challenges and Considerations

Dealing with legacy OT systems and protocols

One of the biggest hurdles in OT network monitoring is the prevalence of legacy equipment and outdated protocols that were never designed with security in mind. Many industrial control systems run proprietary or unsupported software, making it difficult to deploy modern monitoring tools without risking operational disruption. Monitoring solutions must be carefully chosen and configured to work with these legacy systems, often relying on passive techniques that avoid interfering with critical real-time processes.

Bandwidth and performance impacts of monitoring

OT networks are highly sensitive to latency and packet loss, which can directly affect control loop timing and process stability. Introducing monitoring infrastructure—especially active scanning or intrusive inspection—can strain network bandwidth and degrade performance. Therefore, monitoring architectures must be designed to minimize overhead, often through passive traffic collection methods like SPAN ports or network taps that don’t interfere with live traffic flows.

False positive management in industrial environments

OT networks generate a high volume of routine operational alerts, which can quickly overwhelm security teams if not properly filtered. False positives—alerts triggered by benign but unusual behaviors—can desensitize operators and cause critical warnings to be overlooked. Effective OT monitoring solutions use context-aware analytics, asset baselining, and correlation techniques to reduce noise, prioritize alerts, and ensure that only genuinely suspicious or impactful events demand attention.

Skill requirements for effective OT monitoring

OT monitoring requires a specialized skill set that combines cybersecurity expertise with deep understanding of industrial processes and control systems. Teams must be familiar with ICS protocols, safety requirements, and operational constraints to accurately interpret monitoring data and respond appropriately. This often necessitates cross-disciplinary collaboration between IT security professionals and OT engineers, alongside ongoing training to keep pace with evolving threats and technologies.

Balancing security monitoring with operational requirements

In OT environments, safety and continuous operation are paramount. Security monitoring cannot come at the expense of process reliability or safety system integrity. This balance requires careful planning—selecting non-intrusive monitoring technologies, aligning security policies with operational priorities, and maintaining transparent communication with plant personnel. The goal is to enhance security without introducing risk or disruption to critical industrial functions.

Ready to strengthen your industrial network’s defense without compromising operational integrity? Waterfall Security Solutions offers proven, non-intrusive security technologies designed specifically for OT environments. Our unidirectional gateways and advanced monitoring tools provide reliable protection against cyber threats while ensuring uninterrupted process performance.

About the author

Waterfall team

FAQs About OT Network Monitoring

What is OT Network Monitoring

What Is ICS (Industrial Control System) Security?

Waterfall team — Thu, 14 Aug 2025 11:42:21 +0000

OT Insights CenterWhat Is ICS (Industrial Control System) Security?

What Is ICS (Industrial Control System) Security?

ICS Security is crucial for protecting critical infrastructure like energy, manufacturing, utilities, and healthcare. This blog covers Industrial Control System components, common vulnerabilities, sector-specific risks, and best practices—including access control, network security, and compliance with NIST CSF and IEC 62443—to help safeguard industrial operations from cyber and operational threats. Ask ChatGPT

Waterfall team

August 14, 2025

Industrial Control Systems (ICS) are the backbone of modern industries, running everything from power plants and water treatment facilities to manufacturing lines and critical infrastructure. While these systems keep our world moving smoothly, they also face a growing threat: cyberattacks. ICS security focuses on protecting these vital networks and devices from digital intrusions, system failures, and operational disruptions. As industries become increasingly connected and automated, understanding ICS security is no longer just an IT concern—it’s a matter of safety, reliability, and national security.

Understanding ICS Security Fundamentals

Industrial Control Systems (ICS) are specialized networks and devices that monitor and control industrial processes. They include systems like SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), and PLCs (Programmable Logic Controllers). ICS manages the machinery and processes that keep essential services running, such as electricity generation, water treatment, oil and gas pipelines, and manufacturing operations. Because these systems directly affect public safety and economic stability, ensuring their continuous and secure operation is critical.

The distinction between IT security and OT (Operational Technology) security approaches

While IT security focuses on protecting data, networks, and digital assets in traditional computing environments, OT security is concerned with safeguarding physical processes and industrial operations. Unlike typical IT systems, ICS and other OT environments often require continuous uptime, predictable real-time performance, and safety prioritization over data confidentiality. This means security measures in OT must balance protection with operational reliability, often using specialized controls, monitoring, and risk management strategies tailored to industrial environments.

Historical evolution of ICS security concerns and awareness

Historically, ICS environments were isolated and relied on proprietary technologies, making security a low priority. However, as industrial networks became increasingly connected to corporate IT systems and the internet, the risk of cyberattacks grew exponentially. High-profile incidents such as the Stuxnet malware attack in 2010 highlighted the devastating potential of targeting industrial systems, raising awareness across industries and governments. Today, ICS security is recognized as a critical aspect of infrastructure protection, with organizations implementing advanced monitoring, threat detection, and incident response strategies to defend against both cyber and physical threats.

Components of Industrial Control Systems

SCADA (Supervisory Control and Data Acquisition) systems architecture and security considerations

SCADA systems are designed to monitor and control large-scale industrial processes. Their architecture typically includes a central control system, remote field devices, communication networks, and data storage/reporting tools. Security considerations for SCADA focus on protecting these components from cyberattacks, unauthorized access, and network disruptions. Key strategies include network segmentation, strong authentication, encrypted communications, regular software updates, and continuous monitoring for anomalies. Since SCADA systems often control critical infrastructure, even minor compromises can have major operational and safety impacts.

PLCs (Programmable Logic Controllers) and their vulnerability points

PLCs are the “brains” of industrial equipment, executing automated control logic for machinery and processes. Their vulnerabilities often stem from outdated firmware, insecure protocols, or weak physical and network access controls. Attackers targeting PLCs can manipulate operations, cause equipment damage, or create unsafe conditions. Protecting PLCs involves strict access management, firmware patching, network isolation, and monitoring for unusual command patterns that could indicate tampering.

Distributed Control Systems (DCS) and their security requirements

DCS manage complex industrial processes by distributing control tasks across multiple controllers, allowing for redundancy and higher reliability. Security requirements for DCS focus on ensuring operational continuity, integrity of control logic, and protection against both cyber and insider threats. Measures include role-based access controls, encrypted communications, intrusion detection systems, and continuous auditing of process changes to prevent unauthorized modifications.

Remote Terminal Units (RTUs), sensors, and actuators as potential attack vectors

RTUs, sensors, and actuators are the field devices that collect data and execute commands in ICS environments. These components are often exposed to physical and network risks, making them potential entry points for attackers. Securing them requires tamper-resistant hardware, secure firmware, encrypted communications, and network monitoring to detect anomalies in field-level operations. Any compromise at this level can cascade to the entire control system.

Human-Machine Interfaces (HMIs) and their security implications

HMIs are the interfaces through which operators interact with ICS systems, providing visibility and control over industrial processes. Security risks include unauthorized access, malware infections, and manipulation of displayed data, which could lead to unsafe decisions. Protecting HMIs involves strong authentication, regular software updates, restricted network access, and operator training to recognize suspicious behavior or system anomalies.

Critical Infrastructure Sectors Relying on ICS

Energy sector (power plants, electrical grids, oil refineries)

The energy sector depends heavily on ICS to manage electricity generation, transmission, and distribution, as well as the operation of oil and gas refineries. These systems ensure the stability of power grids, regulate fuel flow, and monitor complex processes in real time. A security breach in this sector can lead to widespread blackouts, environmental hazards, or even national-level disruptions, making robust ICS protection absolutely essential.

Manufacturing and industrial production facilities

Modern manufacturing relies on ICS to automate production lines, control robotics, and maintain process efficiency. From automotive plants to electronics factories, these systems coordinate machinery and workflow at a scale and speed impossible for humans alone. Compromising these ICS environments can halt production, damage equipment, or create defective products, emphasizing the importance of both operational and cyber security measures.

Utilities (water treatment, gas distribution)

Water treatment plants, sewage systems, and gas distribution networks all depend on ICS to maintain safe and continuous service. ICS monitors flow rates, chemical levels, and system integrity to prevent contamination, leaks, or service interruptions. Because failures in these systems can directly affect public health and safety, securing these control networks against cyber and physical threats is critical.

Healthcare facilities and life-critical systems

Hospitals and healthcare facilities increasingly rely on ICS to manage critical systems such as medical imaging, laboratory equipment, HVAC, and backup power generators. Attacks or malfunctions in these systems can jeopardize patient safety, disrupt emergency services, and delay life-saving treatments. Consequently, securing ICS in healthcare involves not only traditional cyber defense but also compliance with stringent safety and privacy regulations.

ICS Security Framework and Implementation

ICS-Specific Vulnerabilities and Risks

Legacy systems with extended lifecycles and limited update capabilities

Many ICS environments rely on legacy hardware and software that were designed decades ago, often with minimal consideration for cybersecurity. These systems may not support modern security patches, updates, or encryption methods, leaving them exposed to vulnerabilities that attackers can exploit. The long lifecycle of these systems makes it challenging to maintain security without disrupting operations, creating a persistent risk for industrial environments.

Default configurations and hardcoded credentials

A common vulnerability in ICS is the use of default settings and hardcoded passwords in devices such as PLCs, HMIs, and RTUs. These default credentials are often well-known and can be exploited by attackers to gain unauthorized access. Failing to change these settings or implement strong authentication mechanisms can turn even a single compromised device into a gateway to the broader network.

Physical security concerns and their cyber implications

ICS components are often deployed in remote or accessible locations, making them susceptible to physical tampering or sabotage. Physical access can allow attackers to manipulate hardware, inject malicious code, or bypass network security controls. Because many ICS devices are connected to critical processes, even a small physical breach can escalate into a major operational or safety incident.

Operational requirements for availability versus security needs

ICS systems prioritize operational continuity and real-time performance, which can sometimes conflict with security best practices. For example, shutting down a process to apply a security patch may be unacceptable, or adding authentication delays could interfere with time-sensitive controls. This tension between availability and security requires careful risk management, layered defenses, and proactive monitoring to protect systems without compromising operational efficiency.

Access Control and Authentication

Role-based access control implementation for ICS environments

Role-based access control (RBAC) is a cornerstone of ICS security, ensuring that users can only access the systems and functions necessary for their job roles. By defining clear permissions for operators, engineers, and administrators, RBAC reduces the risk of accidental or malicious actions that could disrupt industrial processes. Regularly reviewing and updating role assignments helps maintain security as personnel or responsibilities change.

Multi-factor authentication for critical system access

To strengthen ICS security, multi-factor authentication (MFA) adds an additional layer of verification beyond passwords. MFA can include hardware tokens, biometrics, or one-time codes, making it much harder for attackers to gain unauthorized access. Implementing MFA is especially critical for remote access or administrative accounts that control key components of industrial processes.

Privileged account management for control systems

Privileged accounts in ICS—those with administrative or high-level operational access—pose a significant security risk if mismanaged. Proper management involves monitoring account activity, limiting the number of privileged users, enforcing strong password policies, and regularly auditing access logs. These practices help prevent insider threats, credential theft, and unauthorized system changes.

Physical access restrictions to ICS components

Physical security complements digital protections by preventing unauthorized personnel from tampering with ICS devices. Measures include locked cabinets, secured control rooms, surveillance systems, and restricted entry to sensitive areas. Controlling physical access is especially important for PLCs, RTUs, and HMIs that could be directly manipulated to disrupt industrial processes.

Vendor and contractor access management protocols

Vendors and contractors often require temporary access to ICS for maintenance, updates, or troubleshooting. Implementing strict access management protocols—such as time-limited accounts, supervised sessions, and detailed logging—reduces the risk of third-party breaches. Ensuring these external users adhere to the same security standards as internal staff is critical for maintaining overall system integrity.

Regulatory Compliance and Standards

Industrial Control Systems operate in sectors where safety, reliability, and compliance are paramount. To manage the unique cybersecurity risks in these environments, governments and international organizations have established a range of regulations and standards. These guidelines help organizations implement consistent security practices, align with industry best practices, and ensure that critical infrastructure remains protected from cyber and operational threats.

NIST Cybersecurity Framework application to industrial control systems

The NIST Cybersecurity Framework (CSF) provides a structured approach for identifying, protecting, detecting, responding to, and recovering from cyber threats. While originally developed for general IT environments, the framework has been widely adopted for ICS and OT systems. Organizations use NIST CSF to assess their current security posture, implement risk-based controls, and create resilient industrial operations. Its flexible design allows ICS operators to align security practices with operational priorities without compromising uptime.

IEC 62443 standards for industrial automation and control systems

IEC 62443 is a comprehensive set of international standards specifically designed for industrial automation and control systems. It addresses security across the entire lifecycle of ICS components, from design and development to operation and maintenance. Key areas include system security requirements, secure network architecture, and procedures for managing vulnerabilities. The standards also provide guidance on role-based access, authentication, and supplier security practices. You can learn more in detail here: IEC 62443 Standards Overview.

For more on this topic, see this article.

International standards and their regional variations

Different regions and countries have developed their own regulations for ICS security, often building on international frameworks like NIST and IEC 62443. For example, the European Union’s NIS Directive sets cybersecurity requirements for critical infrastructure operators, while the U.S. Department of Homeland Security provides sector-specific guidelines for energy, water, and transportation systems. Understanding these regional variations is essential for multinational organizations to ensure compliance and maintain consistent security practices across all industrial sites.

Final Thoughts

In today’s interconnected industrial landscape, the security of ICS and SCADA systems is more critical than ever. From legacy vulnerabilities to sophisticated cyber threats, protecting these systems requires a comprehensive approach that combines best practices, regulatory compliance, and advanced monitoring. Staying ahead of potential risks ensures not only operational continuity but also the safety of employees, communities, and critical infrastructure.

To see how Waterfall’s solutions can safeguard your SCADA systems and strengthen your industrial security posture, contact us today.

About the author

Waterfall team

FAQs About ICS Security

What is ICS Security?

OT cybersecurity insights center – Waterfall Security Solutions

Data Diode vs Firewall: Understanding the Key Differences in OT Security

TLDR: Data Diode vs Firewall key differences:

What is a Data Diode? Core Technology and Functionality Explained

What is The Technical Architecture of Data Diodes?

Security Guarantees Provided by Hardware Enforcement

Firewall Technology in OT Security Contexts

Evolution of Firewall Technology for Industrial Networks

Configuration and Management Challenges in OT Environments

Key Differences: Data Diode vs Firewall Security Capabilities

Maintenance and Operational Requirements

Performance and Operational Considerations

Data Diodes Regulatory Compliance

Implementation Scenarios

Waterfall Security’s Unidirectional Security Gateway

Conclusion

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

For more episodes, follow us on:

Share this podcast:

Managing Risk with Digital Twins – What Do We Do Next? | Episode 144

Trending posts

Stay up to date

Tags

IT & OT Relationship Management

IT & OT Relationship Management

Request the guide to explore:

About the author

Andrew Ginter

FAQs About IT & OT Relationship Management

Doing the Math – Remote Access at Wind Farms

I don’t sign s**t – Episode 143

I don’t sign s**t – Episode 143

For more episodes, follow us on:

Share this podcast:

Transcript of I don’t sign s**t | Episode 143

Trending posts

Stay up to date

Tags

Secure Industrial Remote Access Solutions

Secure Industrial Remote Access Solutions

Waterfall team

Definition and Scope

Importance in Modern Manufacturing

Key Stakeholders and Use Cases

Technical Architecture and Components

Hardware Infrastructure

Control Systems Integration

Security Framework for Industrial Remote Access

Threat Landscape

Compliance and Standards

About the author

Waterfall team

FAQs About Industrial Remote Access Solutions

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

NIS2 legislation is late in many EU countries, and the new CRA applies to most suppliers of industrial / OT computerized and software products to the EU. Christina Kiefer, attorney at reuschlaw, walks us through what's new and what it means for vendors, as well as for owner / operators.

For more episodes, follow us on:

Share this podcast:

Transcript of NIS2 and the Cyber Resilience Act (CRA) | Episode 142

Trending posts

Stay up to date

Tags

SCADA Security Fundamentals

SCADA Security Fundamentals

SCADA security protects industrial control systems from cyber and operational threats through access controls, encryption, monitoring, governance, and regulatory compliance. Learn how best practices and Waterfall Security solutions safeguard critical infrastructure. Ask ChatGPT

Waterfall team

Understanding SCADA Systems in Security Context

The evolution of SCADA architecture from isolated to networked environments

Critical infrastructure sectors relying on SCADA systems

Critical infrastructure sectors relying on SCADA systems

SCADA Components and Security Considerations

The Threat Landscape for SCADA Environments

Notable SCADA Security Incidents

SCADA Security Architecture and Controls

Access Control and Authentication

Encryption and Data Protection

Security Monitoring and Incident Response

Security Governance for Industrial Control Systems

Compliance and Standards