As Richard Bejtlich summed up in his book, The Tao of Network Security Monitoring, “prevention eventually fails.” This simple, three-word phrase, which gets to the core of his detection-centric philosophy, is a critical and timely maxim for OT teams. One that bears repeating, sharing, and maybe even framing and hanging on a control room wall. No matter how many fences or firewalls organizations mount, at some point they will fail. And that’s not to say that they should give up on prevention or that they shouldn’t be prepared, but rather that the prudent approach is to accept the limitations of preventative measures and switch focus to detection and response.
The eighties, nineties, and aughts were all about patching systems and deploying firewalls. The problem is savvy computer people know how that technology works—and they also know how to get around it all. A major shift today, especially for OT, is to be prepared to be compromised. The more skilled that companies can become at detecting and responding to malicious behavior, the more they can mitigate the risk of something really bad happening.
It’s not time to get complacent, especially for ICS organizations.
Be sure to:
- Establish a process for assessing your asset environment, especially as IT and OT systems are integrated
- Build fault tolerance and resilience through asset knowledge and document controls
- Diminish disruption or downtime to business operations by identifying, in advance, any machines that can be taken offline
Just because you feel safe behind your castle wall doesn’t mean someone isn’t tunnelling under it.