OT Cybersecurity: Can the Government Save Us?

Governments play an important role in OT security: they educate, they share threat information, they vet our employees and other trusted insiders, and from time to time they legislate cybersecurity defenses that the most consequential industrial enterprises must implement.

Why do we need to do any kind of robust OT cybersecurity at all? After all, in the physical domain, we expect individual citizens to take reasonable measures to protect themselves from petty burglars and car thieves, and not from a squadron of tanks rolling down the street blowing holes in buildings. We expect our governments and militaries to protect us from the most capable and consequential adversaries and attacks. Should the same not be true in the cyber world?

For example, some governments have declared that significant cyber attacks on critical infrastructures shall constitute acts of war. But – significant attacks on critical infrastructures have occurred, with neither physical retaliation nor declarations of war by those same governments. Why? Well, in part this is because reliable attribution of cyber attacks can be made arbitrarily difficult by attackers – after the attack, we do not know who to declare war against. In part the problem is that the consequences of launching an all-out physical war are truly monstrous and are widely seen as a disproportionate response to a cyber attack, even an attack on critical infrastructures.

“We expect our governments and militaries to protect us from the most capable and consequential adversaries and attacks. Should the same not be true in the cyber world?”

Real Time Response

Many governments have invested heavily in protective measures for their infrastructures: establishing threat information sharing systems, providing classified threat briefings, establishing national cyber emergency response teams, imposing cybersecurity regulations and sometimes even mandating central government security and incident monitoring systems. Most governments also have powerful systems in place to ferret out spies, terrorist conspiracies, sleeper cells and even have systems to identify trustworthy employees who are becoming susceptible to compromise or blackmail because of gambling debts, extra-marital relationships, and other aspects of their personal lives.

While these measures have enormous value, they tend to be slow-moving. Ransomware and other attacks have gone from initial compromise to fully-encrypted and extorting payment in only 45 minutes – faster than any government can respond. Another example – I was talking a couple of years ago to an expert who was called in to carry out a post-mortem on a hacktivist attack that took down a number of water treatment systems. His conclusion: the attacks succeeded because the water utilities failed to implement the defenses the government had ordered them to implement. The lesson? Some kinds of attacks can be defeated only by the targets of those attacks – this is why there are government cybersecurity regulations for the most consequential of critical infrastructures.

Role of Government

Governments play an important role in OT security: they educate, they share threat information, they vet our employees and other trusted insiders, and from time to time they legislate cybersecurity defenses that the most consequential industrial enterprises must implement. Why? Because there are some kinds of attacks that only the industrial targets can mount credible defenses against.

To read more about defenses against ransomware, hacktivists and even nation-states, click here to request your free copy of my new book: Engineering-Grade OT Security: A manager’s guide.