What OT security is all about
OT security this, OT security that… a lot of technology vendors are hitting this nail and promising all sorts of things. But they are missing the point. They try to raise an image of a situation where there are two roles: the attacker and the defender. I don’t see it that way.
When talking to plant managers, production managers, line managers, … there is one theme which always, without exception, comes back. For them, their main responsibility is to keep the factory running (in a safe way). Safety is an important aspect, and I’m very glad for that. But the key take-away here is that the factory must keep on running. Said differently: downtime must be reduced to a minimum.
Types of downtime
There are 2 major types of downtime:
- Planned downtime
- Unplanned downtime
Planned downtime is, as the name suggests, planned events where (parts of) the factory is not able to produce. Because it is planned, one can thoroughly prepare so to keep the duration of the downtime to a minimum and thus the costs under control.
Unplanned downtime however happens at unforeseen moments. These occurrences cannot be prepared thoroughly and the duration of the downtime is often unpredictable. There are studies showing that the cost per minute of unplanned downtime is up to 4 times higher than the cost per minute of planned downtime!
Knowing this, I want to rephrase something I stated earlier. When I said earlier that one of the main priorities of the plant managers, production managers, line managers, … is to reduce the downtime to a minimum, I actually meant to reduce the unplanned downtime to a minimum.
That's what OT security is all about
So OT security is not about ‘attackers‘ versus ‘defenders‘. It is about reducing unplanned downtime due to cyber incidents. OT security will have no effect on mechanical defects leading to unplanned downtime. What OT security does, is add to the resilience of your Operational Technology, your Industrial Automation and Control Systems (IACS).
And yes: that unplanned downtime might be the result of a cyber attack (by the ‘attackers‘), but there are many other possible reasons. The actual reason doesn’t really matter for the plant manager; the result is the same: unplanned downtime, which you don’t want.
OT security will help to protect against unintentional violations (Security Level 1 of IEC 62443) and against intentional violations (Security Level 2 -> 4).
When talking about OT security, make sure you talk to the right people (not the IT staff), and make sure you talk their language.
Here are some external references you might find interesting on the topic of unplanned downtime:
Spinae security specialists are here to help
With our substantiate real-world experience in many different sectors, with our certified expertise on IEC 62443 and the fact that we are brand-independant, Spinae is a very good fit to help you and your company.
Contact us to get our expert view on the matter and get you on the way!
About the author
Stijn Boussemaere, co-founder of Spinae, is a Certified IEC 62443 Industrial Security Foundations Specialist. He is a member of the International Society of Automation (ISA). As a guest professor at the University College Howest he’s been active in courses such as Security, Linux, Cloud Services, Data Science, … He loves translating complex concepts into understandable language to help others.