Security Experts:

Connect with us

Hi, what are you looking for?



Introduction: Supporting Operational Realities and Security Risks of the OT Space

Hi, I am Nate Kube and I am really pleased to be starting a dialogue with SecurityWeek’s readers.

As a founder and CTO of Wurldtech Security Technologies, I have had the opportunity to watch significant changes take place in industrial cyber security since starting the company in 2006.

Hi, I am Nate Kube and I am really pleased to be starting a dialogue with SecurityWeek’s readers.

As a founder and CTO of Wurldtech Security Technologies, I have had the opportunity to watch significant changes take place in industrial cyber security since starting the company in 2006.

I started out working on a project on communications robustness testing and was able to engage with some forward thinking energy producers on understanding security risks in an operational context. At that time, we lacked a common language to talk about security in the energy industry.

Since then, the collaboration that has taken place between energy operators and controls suppliers has enabled us to progress towards actionable product security standards and more transparent methods to assess security posture.

On the eve of the ratification of IEC 62443, we have moved towards an international standard in industrial security that will support more efficient investment in demonstrable reduction in security risk by both operators and suppliers.

Operational TechnologyWhile a great deal has been accomplished over the past eight years, as a sector we have a lot of work still ahead of us.

In this column, I look forward to starting a broader conversation about the challenges and possibilities in the operational technology space.

One challenge to securing critical infrastructure frequently discussed is the “IT – OT Divide”. While I have not heard many operators refer to their controls systems as OT or Operational Technology, I have heard their concerns about security practices and policies that fit in the IT world being shoehorned into their industrial environments without proper regard for the differences between the two.

I have a colleague who jokes about comparing the form factor and user experience of the average industrial control system to a smart phone, she says it’s “like seeing a person walking down the street, rocking a 1990s mullet.” It’s not far from the truth.

Industrial control systems have not changed a lot over the past twenty years. Industrial controls systems tend to be complex, relying on proprietary protocols and equipment from different vendors, making their integration complex. The other reason is the incredibly long life of a control system compared to IT equipment; it’s not unusual for an industrial control system to operate for 15 years or more.

When supporting energy operators in field security assessments earlier in my career, I observed that speaking about security risk in the context of operational impacts was the most effective way to explain security posture.

There is an operator reticence to make any change that can impact the integrity or availability of the process. In power generation and energy production, most operators will not make changes to industrial controls while in operation, regardless of redundancy or qualification testing. These operators have asymmetric risks associated with making change; the potential benefit of applying a patch is dwarfed by the tremendous financial and operational costs of even one hour of interrupted operation. A difficulty in maintaining software and configuration inventories across an operation, much less an enterprise, discourages making changes after commissioning.

Given these concerns, it is easy to understand the real obstacles that operators face when trying to apply IT practices to operating networked control infrastructures. The pragmatist in each of us has to ask if we have tried to push the wrong paradigm into OT security?

The diligence shown within critical infrastructure over the past decade is commendable. To this end, I would like the OT security community to move away from asking what can we do to gain greater adoption of a greenfield IT security model and instead ask how we can gain demonstrable gains in OT security posture more efficiently.

What security controls can we design for the OT space that addresses the lifecycle and operational environment of industrial controls?

Let’s spend the next eight years creating a security paradigm that supports the operational realities and security risks of the OT space. In future columns I’ll take a deeper look at some possibilities on how we can get there.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


White hat hackers received $180,000 at Pwn2Own Miami 2023 for exploits targeting widely used ICS products.