Operational Technology ( OT ): How It Became An Unexpected Masterclass In Changing Security Culture From Within.
It felt as though absolutely nothing made sense.
1
....yeah, brace yourself, this is going to be a long one.
When I first arrived on scene to my shiny, new job in critical infrastructure - I did not, in fact, know it was commonly identified as “critical infrastructure.”
As a self-proclaimed Cybersecurity Professional, I approached this new position with a default, modus operandi:
1
2
3
4
1. Do they do all the things?
2. What things did they miss?
3. How can I create immediate value in all things?
4. What things do they need from me the most?
It’s been years since that day but looking back always amuses me.
It would be #4, as I would soon discover, that would be my launching point.
My Manager brought me in for a quick huddle and, after drumming up a quick drawing of the entire network, he said “I need you to find the gaps in our security and help out with some of our projects. Review and provide feedback”
That’s not verbatim but you get the idea. Quotes added for effect.
It was a massive undertaking but I had months to get it covered.
The ultimate task was to find the gaps and make sure we button them up to meet a standard set of security policies provided at the highest levels in our organization - which are really just re-worded NIST SP 800-53 controls but don’t get me started down that rabbit hole.
The problem, I quickly discovered, was that the devices in my network didn’t really meet MANY of the requirements.
I kept banging my head against a wall.
Access management in this roadside sensor controller? NO. Encrypt user data in a redlight controller? No.
And so on.
Then, one day on the way to the office, I started a “Cyber Work Podcast” episode interviewing a Dragos employee.
Much of what was said, started to feel extremely close to my situation.
I finished the episode and dug into Dragos’ website. I was in consumer mode.
By the time the work day was done, I had a few new buzzwords hanging off my lips.
“Operational Technology”
“Dragos”
“ICS”
“Critical Infrastructure”
I spent the next couple of weeks studying, well DEVOURING, every piece of information I could find.
My passion was fueled by my absolute determination to “right the ship” of my organization’s approach to cybersecurity.
I started explaining, in every meeting, to my manager why we NEEDED To adopt OT standards.
Not because they are BETTER or so wildly DIFFERENT but rather because they are simply more applicable.
Our systems did not manage information, no, rather they processed data from roadside systems like weather, GPS, sensors, and used that to control the PHYSICAL movement of surface transportation via controls like signage or lights.
This made sense. THIS is how I would be able to relate to my peers.
“We focus more on integrity and availability than we do on confidentiality.”
A hallmark of OT.
After convincing myself that I was, without a doubt, prepared to make my next declaration.. I made a move.
I walked into my manager’s office and boldly stated, “We do not need to adhere to the organization’s policies because, as written, they apply to IT systems and NOT OT.”
I continued… “We can make our own rules. Better rules. Logical rules.”
I wasn’t wrong but my manager pulled me aside a few days later and says, “nah, legal disagrees”
Forgive my language, and turn away if you don’t want to think less of me - but this is the kinda shit that really fucking pisses me off in Cybersecurity.
When organizations are structured so that Cyber is at THE BOTTOM then you have no leverage. It wasn’t the fault of anyone I worked with, not really, government agencies just structure themselves differently.
It’s like NIST SP 800-82 didn’t exist. It was all just a fever dream.
Right? That must be it.
That was a gut punch.
1
But I did learn something
I could be “right” all I wanted but I was up against a culture. The only way to win was by way of changing the culture from within.
So, that’s what I decided and here is what I did:
1
2
3
1. I ONLY spoke in terms of OT security.
2. I ONLY considered future products or vendors specializing in OT.
3. I ONLY trained, discussed, and briefed on our posture in OT terms.
I became an enthusiast - plain and simple.
Now, I want to take a quick break here and explain the following: I have been using the short hyphen or en-dash in my writing for decades.
I use it incorrectly - that’s ok with me.
I write all of my own work because AI doesn’t have any stylistic flair. That being said I am keenly aware that AI often abuses the long-hyphen or “em dash”.
1
2
Me = '-'
AI = '—'
Now, that I have covered that - back to my writing.
I decided to address the problem by shifting the culture. Using repeating language, like an occupying government spreading propaganda.
I wouldn’t be stopped.
This would reach its absolute, confirming apex when I met with my entire leadership and the FBI.
They just wanted to offer their services but I dropped “OT” bombs like they were going out of style.
See, services are slightly different between OT and IT.
I’ve mentioned before which parts of the CIA triad are more important in OT but you have to retrain your mind to work differently.
For example, you have to manage your expectations with OT equipment providers.
It’s unlikely they will have the most advanced IAM systems tied into their tiny controller.
You often revisit terms like “compensating controls” and “black box” testing during risk assessments.
It’s just a different world and I am making my way through it.
And that was my introduction, my personal battlefield, my baptism by fire, etc to Operational Technology.
I’ve only come to discover in recent times that OT has its very own specialized security workforce.
I honestly think it has been a well-kept secret. A niche for some professionals which they guard with dear life.
I really don’t blame them.
Cybersecurity is a mess but OT is a fairly straightforward sector that must be protected at all costs - kept quiet and away from the mainstream powerhouse terms like “DEVSECOPS” and so forth. Why? Well, part of it is security through obscurity and another is simply job security.
That being said, whether or not I choose to dig deep and become an OT purist is yet to be determined.
For now, I shall just continue my work bringing SP800-82 to the masses.
Later.
1
print("Shawn L. Donahue")