Events , Governance & Risk Management , Operational Technology (OT)

5 Critical Controls for ICS and OT Cybersecurity Strategy

Dragos CEO Robert Lee on Why Vulnerability Patching Is Important in IT But Not OT
Robert Lee, SANS senior instructor, co-founder and CEO, Dragos

IT and OT security are far more different than most in the industry realize. IT focuses on digital systems and data, and OT concerns itself more with physical systems and their interconnectivity, said Dragos Co-Founder and CEO and SANS Senior Instructor Robert Lee.

See Also: OT-CERT: Enabling SMBs to Address Cybersecurity Risks

The stark differences between IT and OT security are laid bare when it comes to vulnerability patching, which Lee said is a crucial aspect of IT security but far less important in OT. In fact, Lee said just 2% of vulnerabilities in OT actually pose a significant threat. As a result, he said, security controls in OT must be adapted to the specific context of each system and its potential risks (see: Dragos CEO on Opening Execs' Eyes to OT Security Threats).

"There are a lot of security controls out there that people can apply [in OT], and it's hard to determine which ones are good," Lee said. "It's not an ethics discussion." He said to start by asking, "What are the risks?" - in line with the requirements - in order to know that the controls are relevant against those risks. "Start with the scenarios and then reverse-engineer out," he said.

In this video interview with Information Security Media Group at RSA Conference 2023, Lee also discusses:

  • The differences between securing industrial control systems in OT and IT settings;
  • The challenges related to gaining visibility into industrial control environments;
  • How organizations can determine which of their assets are the most critical.

Lee is considered a pioneer in the industrial control systems threat intelligence and incident response community. He currently serves on the U.S. Department of Energy's Electricity Advisory Committee and is part of the World Economic Forum’s subcommittees on cyber resilience for the oil and gas and electricity communities.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.