Finally, An OT Security Approach That Works

OT security should combine cybersecurity and engineering to prevent physical and cyber threats. This holistic strategy is a game-changer for safeguarding critical infrastructure and marks the next major step in OT security. Level Zero is the first time this idea and approach to OT Security will come together.
Picture of Andrew Ginter

Andrew Ginter

Level Zero

If your life depended on preventing a massive boiler blowing up in your face, how would you prefer to be protected from a cyber attack that overheats the furnace underneath it? Would you prefer a mechanical over-pressure relief valve, or would you prefer a longer password for the computer controlling the furnace?

When I ask this, the gurus tell me, “Andrew, you’re trying to deceive us. You’re asking the wrong question.” And they’re right. Yes, I’d want a relief valve – I’d want four of them. These things suffer metal fatigue and corrosion. I need at least one of them to work to save my life.  And I would want the longer password. Not just the password, I’d want an absolute boatload of cybersecurity on top of both, because this is my life on the line.

But where is the relief valve in ISO 27001? In the NIST CSF? In the industrial IEC 62443 family of standards? Not a hint of it. Because these are cybersecurity standards and the valve is an engineering tool designed to address physical risk.

Level Zero

The new Level Zero event joins these two worlds. Level Zero by CS2AI is where cybersecurity joins engineering. After all, OT security is properly viewed as a coin with two sides: on one side we do cybersecurity – we teach engineering teams about cyber risks, attacks, mitigations, and the intrinsic limitations of all cybersecurity tools. On the other side of the coin we do engineering – we make very small changes to the design of our physical processes, automation, networks and other components that, to the greatest extent practical, eliminate entire swaths of consequences and risks from consideration.

Spending the Coin

But here’s the thing: when we spend a coin, do we choose which side to spend? No – we spend the whole coin, you can’t spend one side of a coin. Level Zero is the whole coin: all of cybersecurity that applies to preventing unacceptable physical consequences and all of engineering that applies to addressing cyber threats as well as more conventional physical threats. Additionally, new fields and techniques are emerging at the intersection of cybersecurity and engineering.

Emerging Disciplines

Cyber-Informed Engineering is one way to look at this space. So is Engineering-Grade OT Security. So too is Security PHA Review and Consequence-Driven, Cyber-Informed Engineering.

These perspectives and approaches to OT security are ideas whose time has come. When I introduce CIE, SEC-OT and these other approaches to stakeholders ranging from board-level cybersecurity subcommittees to enterprise security and engineering teams, the most common reaction is roughly “What a good idea. But – why is this new? Why is this not how we were looking at the problem from the very beginning?” I have no answer – this approach makes so much sense that it should not be new, but it is. This shift in perspective is arguably the most important improvement in OT security since the phrase “OT security” was coined 20 years ago.

And Level Zero is the first time all these ideas and approaches to OT Security are coming together. I encourage everyone active in this space to (a) submit the work you are doing to the call for speakers, now open, and (b) plan to attend Mar 31-Apr 2 in Atlanta. The world’s experts at the intersection of cybersecurity and engineering are coming together for the first time to share insights, compare notes and hear about the latest work that we are all doing.

This shift in perspective is arguably the most important improvement in OT security since the phrase “OT security” was coined 20 years ago.

Ground Floor

This is the inaugural Level Zero – an event people will talk about for the next decade or even two. This is your chance to get in on the ground floor. All the gurus will be there. I hope you can join us.

About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox