The ICS Security Stories We Tell And Love

We, the ICS community, have some mantras:

  • It will take decades to fix the ICS security problem
  • Operations Technology (OT) is different than Information Technology (IT)
  • You can’t do X, Y or Z in ICS because … which is followed by a variety of reasons such as the system can’t go down, we can’t introduce any change, it might cause a catastrophe, the vendor won’t support it, your reason here, …
  • Management will not pay to secure the ICS

Those mantras lead to a very depressing story, and it is natural to wonder why anyone would want to be in the ICS security community and play a role in that story. Life is short, and why waste it on this doomed endeavor?

The truth is people get something out of the stories they tell themselves. I was reminded of this listening to a series of Brian Koppelman interviews with Seth Godin on The Moment podcast. Seth describes the comfort an unsuccessful screenwriter gets from the story of being a struggling artist working against a system that doesn’t appreciate his commitment to art and the need for purity in his craft.

“the comfort is fabulous because the story you get to carry around with you is bulletproof. It’s insulation. It’s the outside world doesn’t understand me. The outside world is against me. …   As long as you carry that around you are safe. It has completely transferred all the responsibility to someone who is not you.”

Now think back to the story we tell ourselves in the ICS security community if we buy into those mantras:

If ICS do not get more secure it is not our fault. It’s a problem that cannot be addressed for decades, and even if we came up with solutions the company or industry won’t spend the money to fix it. Success is not possible, so failure cannot be our fault.

We are special. The knowledge and experience required to play a role in ICS security precludes anyone outside our small clique from participating. And when they try to participate they can be quickly cast aside as they are told all the reasons why their ideas will not work and their participation will actually harm the cause.

That’s a nice story, we are special and can do no wrong. Add to that all the attention the ICS security space is getting in the media and security events, and we can be even more special.

I contend these mantras, stories, and walls around ICS change are crumbling. It is still hard to see now if you look at the broad ICS community, but as I said in my optimistic S4x17 mini-keynote (see below) we are seeing the small start and non-linear growth in truly addressing the ICS security problem. Like most change it will seem impossible until all of sudden it has changed. The business drivers for changes to ICS combined with a better understanding of the long unknowingly accepted risk will break down the walls and force change.

Loyal readers may have already discarded these mantras and story, but it is so omnipresent that it is easy to fall back into this trend. I caught myself this week actually saying in a call that we are finally solving the Level 1 problem, but it will take a decade+ to solve Level 0.

If you are in the ICS security arena and believe and live those mantras, then it is time to look for another line of work. If you are wrong you will be passed by; if you are right you are wasting your talents and life on a doomed cause.

The seed for this article came from another article I’m writing about what S4 is all about, who it is for and who shouldn’t come. As you might guess, S4 is not for people that believe in the old, doomed story.