Secure operations technology

a book by Andrew ginter

We are pleased to announce the general availability of Andrew Ginter’s new book, Secure Operations Technology (SEC-OT). SEC-OT is a perspective, a methodology and a set of best practices that document what thoroughly-secured industrial sites actually do. What these sites do differs sharply from what most industrial sites do. 

Secure operations technology

a book by Andrew ginter

We are pleased to announce the general availability of Andrew Ginter’s new book, Secure Operations Technology (SEC-OT). SEC-OT is a perspective, a methodology and a set of best practices that document what thoroughly-secured industrial sites actually do. What these sites do differs sharply from what most industrial sites do. 

WATCH THE SEC-OT BOOK PRESENTATION at S4x19

OT-SEC = IT-SEC + SEC-OT

Most industrial sites practice IT Security (IT-SEC) whose focus is to “protect the information” – the CIA, the AIC, the IAC, or the something of the information. The focus at secure industrial sites though, is protecting the safe, reliable, continuous and correct operation of the physical, industrial process, not protecting information. Indeed, secure sites are focused on precisely the opposite – protecting correct and continuous physical operations from information, more specifically from cyber attacks that may be embedded in information.

The strategy for SEC-OT is physical protection of control-critical networks from information/attack flows, not just IT-SEC-style software protection. To be fair though, all SEC-OT sites also deploy comprehensive, software-based IT-SEC security programs. Early readers of the new book asked why the book is not called “Operations Technology Security” (OT-SEC). The reason Andrew Ginter did not use this title is because a book on OT-SEC would necessarily have been much longer than one on SEC-OT.

Rather than documenting the entire concept of OT-SEC, the new book focuses on the difference between OT-SEC and IT-SEC. SEC-OT is the “missing link” – SEC-OT is what elevates secure industrial sites above the “bulge” in the bell curve of security program strength.

While some readers of the new book called it “controversial”, Mr. Ginter maintains that the book documents what thoroughly-secured sites do: “I do not see this as controversial, I see it as reporting and relaying the facts. The real question is: why is nobody else talking about these practices?”

Cyber attacks continue to become more capable and more sophisticated, and all industrial sites are increasing the strength of their defensive postures to address steadily increasing threats. The entire bell curve of security posture strength is shifting to the right – in the direction of today’s SEC-OT sites. What SEC-OT sites do today is sooner or later the future of all industrial sites.

Waterfall Security Solutions is making free copies of the new book available to qualified practitioners. All industrial security practitioners are strongly recommended to take advantage of the offer and become familiar with the perspective and practices of the world’s most secure industrial sites.

Most industrial sites practice IT Security (IT-SEC) whose focus is to “protect the information” – the CIA, the AIC, the IAC, or the something of the information. The focus at secure industrial sites though, is protecting the safe, reliable, continuous and correct operation of the physical, industrial process, not protecting information. Indeed, secure sites are focused on precisely the opposite – protecting correct and continuous physical operations from information, more specifically from cyber attacks that may be embedded in information.

The strategy for SEC-OT is physical protection of control-critical networks from information/attack flows, not just IT-SEC-style software protection. To be fair though, all SEC-OT sites also deploy comprehensive, software-based IT-SEC security programs. Early readers of the new book asked why I did not call the book “Operations Technology Security” (OT-SEC). I did not use this title because a book on OT-SEC would necessarily have been much longer than one on SEC-OT.

What I document in the new book is not all of OT-SEC, but the difference between OT-SEC and IT-SEC. SEC-OT is the “missing link” – SEC-OT is what elevates secure industrial sites above the “bulge” in the bell curve of security program strength.

Readers of the new book have called it “controversial.” What I do in the book though, is document what thoroughly-secured sites do. I do not see this as controversial, I see it as reporting and relaying the facts. The real question is; why is nobody else talking about these practices?

Cyber attacks continue to become more capable and more sophisticated, and all industrial sites are increasing the strength of their defensive postures to address steadily increasing threats. The entire bell curve of security posture strength is shifting to the right – in the direction of today’s SEC-OT sites. What SEC-OT sites do today is sooner or later the future of all industrial sites.

For a limited time, Waterfall Security Solutions is making free copies of the new book available to qualified practitioners. I encourage all industrial security practitioners to take advantage of the offer and become familiar with the perspective and practices of the world’s most secure industrial sites.

GET A FREE COPY, we are shipping it worldwide

Learn more from the Industrial Security Institute

Round #4 Outsmart| Knocking Out OT Cyber Risk | iSi

Do your cybersecurity efforts feel like a game of whack-a-mole? It’s time to out smart our attackers, not out work them. Unhackable protections don’t just reduce risk. They eliminate entire classes of risks. 4x national boxing champion, Rob Couzens, draws insightful parallels between the wolds of boxing and industrial security.

More »
Andrew Ginter