5 Critical Controls for ICS and OT Cybersecurity StrategyDragos CEO Robert Lee on Why Vulnerability Patching Is Important in IT But Not OT
IT and OT security are far more different than most in the industry realize. IT focuses on digital systems and data, and OT concerns itself more with physical systems and their interconnectivity, said Dragos Co-Founder and CEO and SANS Senior Instructor Robert Lee.
The stark differences between IT and OT security are laid bare when it comes to vulnerability patching, which Lee said is a crucial aspect of IT security but far less important in OT. In fact, Lee said just 2% of vulnerabilities in OT actually pose a significant threat. As a result, he said, security controls in OT must be adapted to the specific context of each system and its potential risks (see: Dragos CEO on Opening Execs' Eyes to OT Security Threats).
"There are a lot of security controls out there that people can apply [in OT], and it's hard to determine which ones are good," Lee said. "It's not an ethics discussion." He said to start by asking, "What are the risks?" - in line with the requirements - in order to know that the controls are relevant against those risks. "Start with the scenarios and then reverse-engineer out," he said.
In this video interview with Information Security Media Group at RSA Conference 2023, Lee also discusses:
- The differences between securing industrial control systems in OT and IT settings;
- The challenges related to gaining visibility into industrial control environments;
- How organizations can determine which of their assets are the most critical.
Lee is considered a pioneer in the industrial control systems threat intelligence and incident response community. He currently serves on the U.S. Department of Energy's Electricity Advisory Committee and is part of the World Economic Forum’s subcommittees on cyber resilience for the oil and gas and electricity communities.