S4x23 Review Part 1: What's New in OT Security
This blog introduces discussions from S4x23, the ICS security conference in Miami over several posts. The first installment will cover two topics from the academic interviews.
Save to Folio
On February 14, 2023, the ICS Security Event S4 was held in Miami, Florida, USA. More than 1,000 ICS security experts gathered and discussed the future of OT security as one community.
In his opening remarks, Dale Paterson, the catalyst of the S4 event, said that OT is a unique world unlike any other "T," and that we need more practice. To that end, he introduced "Explore" as this year's theme and called on participants on the leading edge to find new ideas for the next three to five years.
In this blog, I will introduce discussions from S4 over several posts. The first installment will cover two topics from the academic interviews.
Interview with Michael Fischerkeller - Author of Cyber Persistence Theory
Fischerkeller is a senior researcher in the Institute for Defense Analyses and has been involved in shaping US government security policy for over 25 years. Based on this experience, he published "Cyber Persistence Theory" with two co-authors, aiming to bridge the gap between cyber security theory and policy. Dale interviewed him based on this work.
During the upon reading his book entitled "Cyber Persistence Theory" and attending the talk, I found that:
- Cyberspace is a completely different third strategic environment from traditional strategic environments.
- Adversaries are constantly in contact with each other due to interconnectivity.
- Countries exploit their adversaries' vulnerabilities for their own benefit.
- The cumulative effect can exceed the benefits of traditional warfare.
As a symbolic term to explain the characteristics of cyberspace, Fischerkeller mentioned the difference between "exploitation" and "coercion".
Coercion and exploitation are two different concepts in the context of national security. Coercion is a strategy that involves the use of threats or force to compel another state to change its behavior or comply with certain demands. For example, a state might threaten military action or economic sanctions in order to coerce another state into stopping its nuclear program or withdrawing from a disputed territory. Coercion is often used as a means of deterrence, to prevent an adversary from taking a certain action.
Exploitation, on the other hand, involves taking advantage of vulnerabilities or weaknesses in another state's national security or economy. This can involve activities such as cyber-espionage, theft of intellectual property, or infiltration of key government or military organizations. The goal of exploitation is often to gain strategic or economic advantages over another state.
While coercion and exploitation can both be used to achieve national security objectives, they are different in their approach and methods. Coercion relies on the use of threats or force, while exploitation relies on taking advantage of vulnerabilities.
He also stated that promoting the logic of "exploitation" is an initiative and that asset owners gathered at the venue should prioritize driving their own business to increase national power.
Interview with Eugene H. Spafford, Professor of Purdue University
This interview with Spafford, a legend in the security community, pointed out misconceptions in cybersecurity and inspired the audience based on his over 40 years of experience.
Spafford claims that the top priority of cybersecurity should not be security itself. Cybersecurity should protect users and their activities from attackers and losses, in order to support users in achieving their original goals.
Security professionals tend to focus on maximizing security capabilities, but they should aim for appropriate security after understanding users and their context well.
He also said that the understanding that defense always fallen offence is a major misconception. It is not always true that offence is easier than defense. For example, the cost of attacking critical infrastructure may not be lower than the cost of defending it. The defense side seems to spend too many resources learning attack methods. The cost of defense depends on the value of what needs to be protected, and it is a challenge that can be considered before thinking about how and by whom attacks will come.
In addition, he said that a common problem is the pile-up of security tools. This is due to the misconception that the more tools there are, the more secure it will be. Too many tools increase complexity, cause fatigue, burnout, and errors in the security team, and can actually increase risk. New tools are meant to help security teams, not to cause overwork.
Recently, Spafford compiled over 175 cybersecurity misconceptions into one book. Each chapter is accompanied by humorous hand-drawn illustrations, making it an ideal introductory book on cybersecurity.
In the next article, I will focus on cybersecurity in the energy industry, which was one of the topics highlighted at S4x23.