Most industrial sites practice IT Security (IT-SEC) whose focus is to “protect the information” – the CIA, the AIC, the IAC, or the something of the information. The focus at secure industrial sites though, is protecting the safe, reliable, continuous and correct operation of the physical, industrial process, not protecting information. Indeed, secure sites are focused on precisely the opposite – protecting correct and continuous physical operations from information, more specifically from cyber attacks that may be embedded in information.
The strategy for SEC-OT is physical protection of control-critical networks from information/attack flows, not just IT-SEC-style software protection. To be fair though, all SEC-OT sites also deploy comprehensive, software-based IT-SEC security programs. Early readers of the new book asked why I did not call the book “Operations Technology Security” (OT-SEC). I did not use this title because a book on OT-SEC would necessarily have been much longer than one on SEC-OT.
What I document in the new book is not all of OT-SEC, but the difference between OT-SEC and IT-SEC. SEC-OT is the “missing link” – SEC-OT is what elevates secure industrial sites above the “bulge” in the bell curve of security program strength.
Readers of the new book have called it “controversial.” What I do in the book though, is document what thoroughly-secured sites do. I do not see this as controversial, I see it as reporting and relaying the facts. The real question is; why is nobody else talking about these practices?
Cyber attacks continue to become more capable and more sophisticated, and all industrial sites are increasing the strength of their defensive postures to address steadily increasing threats. The entire bell curve of security posture strength is shifting to the right – in the direction of today’s SEC-OT sites. What SEC-OT sites do today is sooner or later the future of all industrial sites.
For a limited time, Waterfall Security Solutions is making free copies of the new book available to qualified practitioners. I encourage all industrial security practitioners to take advantage of the offer and become familiar with the perspective and practices of the world’s most secure industrial sites.