cyber webinar – Waterfall Security Solutions

‘Credibility’ vs. ‘Likelihood’ in OT Security

Andrew Ginter — Sun, 02 Feb 2025 13:59:51 +0000

OT Insights Center‘Credibility’ vs. ‘Likelihood’ in OT Security

‘Credibility’ vs. ‘Likelihood’ in OT Security

New Perspectives on High Consequence Security

If we implement the highest 62443 SL4 throughout, have we addressed all credible threats? Do we need strong protections against all credible threats with serious consequences? These are important questions as our OT threat environment continues to deteriorate.

But if “risk = consequence x likelihood,” can we even ask these questions with the word “likelihood”?

In this webinar Andrew Ginter takes us through:

The argument that we need our high-consequence risk and security guidance to stop talking about “likelihood” and start talking about either “frequency” or “credibility,” depending on context.

The cutting-edge debate that is likely to change forever how we think about high-consequence threats

About the Speaker

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Hardware Hacking – Essential OT Attack Knowledge – Episode 145

November 26, 2025

Top 10 OT Cyber Attacks of 2025

November 24, 2025

Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies

November 11, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post ‘Credibility’ vs. ‘Likelihood’ in OT Security appeared first on Waterfall Security Solutions.

Why Understanding OT Attacks Is Important

Andrew Ginter — Mon, 13 Jan 2025 12:38:09 +0000

OT Insights CenterWhy Understanding OT Attacks Is Important

Why Understanding OT Attacks Is Important

Andrew Ginter

January 13, 2025

Understanding how cyber attacks on OT targets work is important, and not just for penetration testers. The obvious: defenders need to understand how attackers are coming after us in order to design defenses that are effective against those attacks. Less obvious: we measure the strength of our defensive postures by the attacks that one posture defeats with a high degree of confidence, and the other does not.

Doing Things the Right Way vs. Doing the Right Things

What I’m saying is that attacks are a way to measure the effectiveness of a security program. This kind of measurement is often called a “metric.” There is a lot of debate about OT security metrics, not least because most “metrics” don’t in fact measure security, they measure process. Common metrics include:

How many OT assets we have inventoried re: location, function, version, security update, etc., and how many we estimate are yet un-inventoried,
How many unpatched vulnerabilities remain in that inventory,
What fraction of the inventory can run any kind of anti-virus and when each of those AV systems was last updated, and
What fraction of our systems have offsite backups.

In a real sense, these metrics are all answering the question “Are we doing things the right way?” rather than “Have we done the right things to defeat attacks?”

Nothing is Secure

What does ‘doing the right things to defeat attacks ’mean? Well, the first law of SCADA security is that “Nothing is secure.” The truism is that, given enough time, money, and talent in the hands of our adversaries, any security posture that we invent can be breached. Said another way, no matter how secure we might be, we can always imagine attacks that are so nasty that they will breach our defensive posture and bring about consequences that we need to prevent.

It is these attacks that we need to understand. More specifically, we need to understand the simplest attacks that can breach our current defensive posture and bring about unacceptable consequences. These attacks may be very complex, but no defensive posture is perfect, and so there are always attacks that can still get in.

Figuring out what these attacks are, though, is not easy – but it is doable. To figure out what the simplest attacks that remain as residual risk are, we need a lot of knowledge in the room. We need experts on attacks (pen testers), we need experts on how our automation is set up (automation engineers), we need experts on the defenses we have already deployed and how effective each is against different kinds of attacks (enterprise security), and many more.

Credible Threat & Design-Basis Threat

Those attacks and risks that (always) remain define our “design-basis threat.” This is a term from physical security that describes the most capable threat a defensive posture is designed to defeat with a high degree of confidence.

For example, a nuclear reactor’s containment dome might be required / designed to withstand two successive direct impacts by large passenger jets fully loaded with fuel, without a radiological release. But not three such impacts. We can use the same concept for our cyber defenses – what are the most capable, most consequential attacks that we defeat without suffering unacceptable losses?

Having defined our current design basis threat in terms of attacks we do and do not defeat, we must then ask, do any of these left-over attacks that we do not defeat constitute credible threats? What does that mean?

Well, imagine a small rural water utility. Thirty employees, most of whom spend most of their days with trucks and backhoes digging holes in the ground. Is it possible for a nation-state – say the Russians – to plant a sleeper cell of three cybersecurity gurus in the workforce of the small water utility? And activate the cell four years from now to trigger a catastrophic insider cyber attack on the water utility?

Well yes, it’s possible. The exercise might cost as much as five or six million dollars to pull off, and yes, Russian intelligence agencies or their army do have that much money. Is such an attack reasonable though? Why would the Russians or anyone else bother with such a sophisticated, costly attack on such an inconsequential utility in the middle of nowhere? The threat does not seem credible – it does not seem reasonable to believe that such an attack will ever occur.

What about the same hypothetical attack on the city of Washington, D.C.? Well, that’s another matter. Such an attack on the American capital might well be considered a credible / believable threat.

So, having determined our current design-basis threat level, we can then ask “are any of the attacks ‘above’ the DBT line (i.e. not defeated with a high degree of confidence)? Are any of those attacks credible threats?”

Attack Trends

Attack tools become more sophisticated every year. OT attack tools are increasingly able to bring about truly unacceptable consequences, even if these tools have to date, at least in public reports, not yet brought about such consequences. The capability is there. Increasingly capable attacks are becoming increasingly credible.

When we study the attacks, consequences, and risks that remain in our defensive postures, more and more of us are finding that there are credible threats that are not covered by our DBT – by our current security program. When we discover these, we need to decide: are we going to spend the money and effort to make our defensive programs more capable? Or will we change nothing and simply accept the risk of these new, credible threats? If the latter, who’s going to sign off on this risk that the business is accepting? Generally, someone with budget authority needs to sign off – it is their decision not to spend the money to address the risk.

Understanding Attacks

We can debate whether threats are credible and whether we should spend money and effort addressing credible residual risks, but to debate any of that, we must first understand the attacks.

To dig deeper into the evolving space of OT cyber attacks, and the rationale above, please join my webinar, From Blind Spots to Action: OT Threats Exposed, at 12 PM New York Time on Jan 22.

About the author

Andrew Ginter

Top Oil and Gas Security Challenges and Best Practices for Protection

November 11, 2025

Data Diode vs Firewall: Understanding the Key Differences in OT Security

November 4, 2025

Security by Design- The New Imperative for Rail Systems

November 4, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Why Understanding OT Attacks Is Important appeared first on Waterfall Security Solutions.

Andrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter — Tue, 17 Dec 2024 11:38:14 +0000

OT Insights Center OT security standardsAndrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter’s Top 3 Webinars of 2024

Discover Andrew Ginter’s top picks for the most insightful and engaging webinars of 2024, covering key trends and strategies in industrial security.

Andrew Ginter

December 17, 2024

As 2024 comes to a close, it’s traditional to reflect on the and maybe catch up on bits of reading and events that we missed throughout the year because of our busy schedules. To this end, I recommend to you three of this year’s Waterfall webinars, each an overview of Waterfall or other authors’ reports that read faster when we’ve seen an overview, so each of us can skip faster to the material we find most potentially useful.

My Top Three Webinars of 2024:

1) Cyber Attacks with Physical Consequences – 2024 Threat Report

By the numbers –Waterfall & ICS Strive produce the world’s most conservative and most credible OT / industrial security threat report. In this webinar the authors review the numbers – public disclosures of attacks with physical consequences. And we look at what the numbers mean for the practice and future of industrial cybersecurity.

To read further, the threat report is available here.

2) IEC 62443 for Power Generation

The IEC 62443 standards are cross industry, somewhat out of date, and deliberately vague in many areas – and so need to be interpreted to apply them successfully. In this webinar, Dr. Jesus Molina provides an overview of his report that shows how to interpret and apply the standards to conventional electric power plants.

To read further, the IEC 62443 for Power Generation report is available here.

3) Evolving Global OT Cyber Guidelines

This webinar is a favorite of mine because of big turnout and the thoughtful questions and comments from the audience. In this webinar, we explore the latest developments in OT cybersecurity regulations, standards and guidance worldwide and what these developments mean for industries navigating this complex landscape.

If you would like to read more, I recommend the brand new, multi-national Principles of OT Security – it’s good, and with only 9 pages of payload, it’s an easy read over the holidays.

These are my top 3. If you would like to see even more of our videos, I encourage you to subscribe to the Waterfall Youtube channel where we upload new videos regularly.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Andrew Ginter’s Top 3 Webinars of 2024 appeared first on Waterfall Security Solutions.

cyber webinar – Waterfall Security Solutions

‘Credibility’ vs. ‘Likelihood’ in OT Security

‘Credibility’ vs. ‘Likelihood’ in OT Security

New Perspectives on High Consequence Security

In this webinar Andrew Ginter takes us through:

About the Speaker

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

Why Understanding OT Attacks Is Important

Why Understanding OT Attacks Is Important

Andrew Ginter

Doing Things the Right Way vs. Doing the Right Things

Nothing is Secure

Credible Threat & Design-Basis Threat

Attack Trends

Understanding Attacks

About the author

Andrew Ginter

Share

Trending posts

Stay up to date

Tags

Andrew Ginter’s Top 3 Webinars of 2024

Andrew Ginter’s Top 3 Webinars of 2024

Discover Andrew Ginter’s top picks for the most insightful and engaging webinars of 2024, covering key trends and strategies in industrial security.

Andrew Ginter

My Top Three Webinars of 2024:

1) Cyber Attacks with Physical Consequences – 2024 Threat Report

2) IEC 62443 for Power Generation

3) Evolving Global OT Cyber Guidelines

Share

Trending posts

Stay up to date

Tags