This is not a new topic, I know. But ! Let me tell you my opinion based on my 8 years experience in ICS security. Yesterday I was talking to a friend of mine who works in a reputable oil company in Kuwait. He told me that someone in their team suggested that they should invest on a cybersecurity product that costs a million , I’m not sure which currency ! But whatever the currency is, it shows that there is a big issue in the mentality of security people. Especially with those who works in rich companies. Let’s break this issue into parts:
1- Placebo effect
As a human nature including security people, humans tend to be attracted to follow the masses. Trendy technologies offered by fancy tech companies with excellent sales strategies tend to fool many decision makers. Their goal is is to close the sale, not to secure your assets . Your role (decision makers) is security, not theirs. Don’t imagine that if you have a firewall installed in your network that you are secured. Far from it. Im not against security vendors. But decision makers have to do their homework before listening to sales people. This brings me to the next point.
2- Not understanding security
There is no such thing as the all-in-one security product. Meaning A security product is just a tool that is designed to work for certain things/tasks. A security solution is not a superman. Its capabilities is limited. People who falls for this trap tend not to understand the ABC of security very well. They don’t know that security is a process not a product. Failing to go through the process leads to unpleasant consequences including possible risks and the wrong choice for tools. The security process can be understood in the following point.
3- Failure to plan
Assessment comes first. Before you buy a security product, you must make an inventory list of your assets. You can’t secure what you don’t know. Make a list now. Identify your assets and network . Prioritize it. Figure out with your team what are the requirements to secure your network and your assets. Make a plan based on your company vision. Constantly update your list and your plan. Keep in touch with reality and the cyber world.
4- Business issues
This point is a managerial skill that sums up this topic introduction. Before you invest, ask yourself why you are investing? To help you answer this question , go through my 3 points above now. If you understood the three points and made an effort to apply them, then I can tell you one more advice: Invest only if a product gives a value and a return on investment. If a cyber attack can cost you 1 million, then try to apply security controls that can minimize this cost. The controls can be simple techniques found in books and best-practices guides. Invest in knowledge , train your staff. Apply it.That can reduce the risk cost. The next thing after knowledge is a product or a service. Seek them carefully. Seek them only if you have done homework number 2 & 3 above. Make sure they have a value and an impact . Not a placebo effect.
5- Not learning from reality and history
Be smart, learn from others or learn the hard way. A simple google on hacking incidents is enough to teach you the above lessons. The message is simple and clear: if you are out of touch with reality and whats going on, you are doomed to repeat the same mistake. Many attackers are seeking to repeat the same attacks on different targets, you could be a target. Believe me many attacks are reproducible. Keep in touch with threat reports and news . Im sure you will find something that is similar and applicable to your environment.
Despite all what I mentioned above, ICS security is still growing and is not mature yet. The ICS security community is not as big as the IT security community, not even close. However, ICS knowledge is constantly evolving and improving, thanks to the vast contribution of the community. We are all still learning. Asset owners and vendors are more informed and educated than before. They are nowadays more aware of existed ICS security challenges . This is a key factor to understand and reflect on before rushing to build solutions and fixes. You cannot fix what you don’t understand , and the golden rule to remember is: ICS is not IT.