Cyber security business is all about risk . The real value of this business is to reduce risk. Thats its philosophy in a nutshell. That is the goal of the many products we see in the market today, even if they claim that their products make your organization secure which is not true. . There is no way to eliminate the entire risk, it’s just not possible. If you understand this philosophy , then you will know that cyber security is a process not a product. This philosophy applies to OT security accurately.
During my Phd research, I developed a framework to measure the risk of OT devices. I got this idea on 2012 when I was browsing Shodan and looking at the ICS category. I was astonished to see many online ICS devices where many of them had open ports, weak configurations, exposed administrative web interfaces and other vulnerabilities. This sparked my imagination and wondered “How risky are these devices?” . This inspired me to to think of an approach to measure their risk and to question whether CVSS works or not for online OT devices. My goal was to help organizations diagnose their OT infrastructure and thus be able to prioritize risk , defenses and mitigations. In future articles, I will go more in depth about my risk framework. Stay tuned !