www.waterfall-security.com
Secure Operations Technology
Andrew Ginter, VP Industrial Security
Waterfall Security Solutions
A new book, currently free of charge to qualified
practitioners, courtesy of Waterfall Security Solutions.
IT Security (IT-SEC) protects information. Secure
Operations Technology (SEC-OT) protects physical
operations from information, more specifically from
attacks that may be embedded in information. All cyber
attacks are information after all, and all information
may encode an attack.
SEC-OT is a perspective, a methodology and a set of
best practices documented in my new book by the same
name. The book documents what secure industrial sites
actually do. What they do differs sharply from what
most sites do:
1) SEC-OT sites define a control-critical network as a
set of ICS networks, firewalls and other assets.
2) The sites produce a comprehensive inventory of
offline and online information flows into the
control-critical network set. A complete list of
information flows is also a complete list of attack
vectors.
3) Secure sites then protect control-critical networks
physically from incoming attack/information flows.
Physical protections include physically separate
switches and hypervisor hosts for control-critical vs
non-critical cyber assets, heavily instrumented safety /
reliability / security test beds, physically blocking
removable media ports, cyber near-miss programs and
unidirectional gateway technology.
SEC-OT practitioners prefer physical protection to
software-only protection because new industrial attacks
and software vulnerabilities are announced almost
daily. A software-only posture can feel like playing
Whac-A-Mole® - updating one piece of vulnerable
software after another in a mad rush, sometimes on
dozens of machines at a time, all in hopes of closing the
latest attack paths before anyone takes advantage of
them. Worse, constant change to industrial software has
its own risks - every change is itself a threat to correct
and continuous operations.
Physically protecting control-critical networks is a
better fit for the deliberate, engineering-change-control
programs used to manage industrial networks than the
IT-SEC approach of “constant aggressive change” to
stay ahead of the latest threats.
To be fair though, all SEC-OT sites also deploy
comprehensive, software-based, IT-SEC security
programs as secondary compensating measures. Secure
sites universally deploy IT-SEC measures but have no
illusions as to the strength of such measures.
Some readers of the new book have called SEC-OT
"controversial." Most of what the book does though, is
document what secure sites do. This is not
controversial, it is basic journalism. What should be
controversial is that these advanced security practices
receive so little coverage in the most popular ICS
security training programs.
Given the constantly-increasing threat environment, it
seems inevitable that all industrial sites will eventually
adopt at least some SEC-OT practices. To help
accelerate this evolution towards secure systems, my
new book is available for free, for a limited time, to
qualified practitioners, courtesy of Waterfall Security
Solutions. To request your free copy, please visit
https://waterfall-security.com/sec-ot
Industrial security practitioners are encouraged to take
advantage of this offer to become familiar with the
advanced practices used by thoroughly-secured
industrial sites.
OPERATIONS TECHNOLOGY
ANDREW GINTER
Copyright © 2019 by Waterfall Security Solutions Ltd. All Rights Reserved.