In my sphere, it seems like threats to Industrial infrastructure is ignored, swept under the rug. Yet, industrial threats have been a concern for at least 25 years. Remember Y2K? While it didn’t really pan out to the disaster that some thought, but we were concerned! I lived through it and you may have also!
In 1999, many of us in IT were completely ignorant of Industrial Control Systems, yet ICS was there. In 1999, one of the hats I wore was manufacturing support — I didn’t know it at the time. But that was what I was doing. It probably didn’t help that leadership made no distinction. Now, for some time, I was in a different business sector.
2014: I re-entered manufacturing support. STUXNET was a thought. At the time, I didn’t understand it that well but I was aware. (Notably, neither did too many other people)
In 2018, I started to see the risks in OT when I was studying for GSEC. In 2023, I took my first SANS Institute OT Security class and obtained GICSP certification. In 2024, I took another OT CyberSecurity class and obtained by GRID certification.
I’d like to see more industrial organizations planning their OT/ICS security at project design and roll-out. In most cases, it’s just too hard to “fix” it after it is installed and running.
For IT Security, there is often more flexibility of the how‘s and when‘s. IT’s lifecycle is often far shorter than OT — in IT, a system may only live for 3-7 years (there are exceptions) yet in OT, that lifecycle might be 10 or 15 or even 40 years! You might see where I am going: be prepared. Think ahead. I’m here to help.