Monthly Archives: May 2022

Architecting the Next Generation for OT Security

Ponemon Institute is pleased to have conducted the research behind the recent report Architecting the Next Generation for OT Security, sponsored by Applied Risk. I’ve included the executive summary of the report in this month’s column. The full report can be downloaded from the Applied Risk website.

“This is a time of change and challenges,” the Applied Risk report begins. “It’s an era that is both transformative and disruptive, shaped by digital technologies that are improving billions of lives around the world, even as they make us vulnerable in ways we never anticipated.

This digitalization has been a fact of life for quite some time, but it is also becoming a factor in the operation of critical infrastructure and other industrial environments at an accelerating speed. At the same time, the Operational Technology (OT) systems that monitor and control industrial equipment, assets, processes and events in critical infrastructure are facing more and more threats from increasingly sophisticated malicious actors, including nation-states.

“In this dynamic environment, it is important to understand the thoughts and concerns that drive organizations to take action to keep their OT domains safe, secure and resilient. Applied Risk has undertaken the research needed to gain that understanding and to take a forward-looking approach to crucial questions about how to architect the next generation of OT Security solutions.

“The report, entitled “Architecting the Next Generation for OT Security,” is based on data collected by the Ponemon Institute from more than 1,000 IT and OT Security practitioners in the United States and Europe. The research was then complemented by input from the knowledge and experience that Applied Risk’s team has accumulated over the years, as well as analysis from the company’s own subject matter experts (SMEs).

“In this document, we present the results of that research. We use these data to assess current trends in the OT Security space, paying special attention to people-, process-, and technology-related issues, and offer recommendations on responses to these trends. Additionally, we describe current conditions in the OT Security realm and offer insight into the OT Security trends that are likely to emerge over the next two to four years.

“Respondents to the survey were asked to answer questions about how to architect the next generation of OT Security solutions. All respondents have responsibility for securing or overseeing cyber risks in the OT environment and understand how these risks impact the state of cyber security within their organizations. The research was then complemented by input from Applied Risk’s own engagements and assessments as well as analysis from our subject matter experts.

“Maximizing safety and minimizing unplanned outages are the top operational priorities for the organizations represented in this research. Reducing inefficiencies and minimizing operating costs are also high priorities, as is the ability to maintain plant connectivity. Respondents see the convergence of IT and OT systems as one of the primary drivers toward meeting these organizational targets. At the same time, though, they note that attackers are focusing more and more on industrial environments and are quickly developing OT skills – and that this shift has resulted in more sophisticated and clandestine attacks.

“The results of the survey indicate that companies are struggling to develop their OT Security maturity at a pace comparable to the speed with which attackers are developing their own skill sets. Meanwhile, the OT landscape is becoming more complex due to IT/OT convergence and to the introduction of Industrial Internet of Things (IIoT) devices, virtualization, and cloud computing in these environments. The overall sense of the respondents is that they need to do more to ensure that the business benefits of these new technological developments can be realized in a secure manner.

“More than half of the respondents believe that their cyber readiness is not at the right level yet and that they are not able to adequately minimize the risk of cyber exploits and breaches in the OT environment. As such, it is clear that there is still work to be done in general and across the board. The respondents are aware that they need to upskill their staff and that of their service providers and that they need better procedures. But above all, they understand that they will need enabling technologies to accelerate OT Security maturity. In summary, a combination of people-, process-, and technology-centric controls will remain key.”

Click here to obtain the full report.

‘Don’t Break my Prime?’

Bob Sullivanbg

“Amazon Prime is *incredibly* popular with Americans. How popular? There are more than 150 million members in the U.S, with many (most?) there to enjoy “free”* two-day shipping. That’s roughly equal to the number of Americans who VOTED in 2020. And Amazon is betting all 150 million will do almost anything to keep that “free” shipping — including abandoning any pretense that they prefer to live in a free country that supports capitalism and free-market principles.

“Don’t Break Our Prime” is a deeply cynical ad campaign that’s being thrust onto your TVs and Internet space as pro-competition legislation makes its way through Congress. Amazon’s monopoly power has deeply hurt American small businesses for years — and made Jeff Bezos so much money that his hobby is going to space —  but lately, the tech giant’s tactics at crushing competitors have kicked up a notch.

Amazon’s customer base is so large that many small companies *have* to sell products on their platform. That’s weird, because it makes Amazon both a fulfillment service *and* a retailer.  There have long been accusations that Amazon’s data nerds study all these competitors on their platform, rip off their products, and then advantage Amazon brands when consumers search for items. More than accusations, actually. Congress recently made a criminal referral about this practice to the Department of Justice.

The kind, gentle term for this — minus the sneaky data harvesting — is “self-preferencing.” And yes, some supermarkets put their own brand of toilet paper on the best shelf, right there next to the Charmin.  If there were a few dozen Amazon-like services out there, self-preferencing there wouldn’t be so bad. But since Amazon has 150 MILLION U.S. MEMBERS on Prime, it’s deeply anti-competitive. Kind of like owning most of the gas refineries, and most of the gas trucks, and most of the gas stations….

So the U.S. Senate is considering legislation that would ban this practice of advantaging its own products over competitors.  Both Democrats and Republicans support the idea.

Amazon has now come out swinging.  As is tradition with such campaigns, it is not attacking the premise of the bill. It’s hitting consumers in an emotional spot, with the message that — given all these concerns about inflation, and supply chains, and the pandemic — now would be a terrible time to lose Amazon Prime’s free shipping! Don’t Break Our Prime!

What are the particulars of this argument? Please read up on it. Here’s a position piece from Project Disco (?) which attempts to explain why Amazon NEEDS its anti-competitive behavior in order to provide two-day shipping.  And here’s a Wired piece that does a good job of debunking that press release. 

It should be clear that this isn’t about two-day shipping.  Rather, Amazon is hoping the popularity of Prime gives it enough clout to beat back, or at least delay, reasonable efforts at reform.

This is just the tip of the spear, however.  Tech industry lobbyists are using this “Don’t Break Our Tech” model to defend the status quo in the face of various reform efforts. Google serves up the most self-serving links, rather than the best links, it has engaged in ad bid-rigging, its business has been called the biggest data breach of all time, but if Congress messes with that, maps won’t work!  Your privacy will be violated. Also, China will become more powerful!

These are emotionally compelling arguments; they just might work.  But as you begin to see all these “Don’t Break Our …” messages, please keep something in mind.  Silicon Valley invented the phrase “move fast and break things.” So it’s deeply ironic that Big Tech firms are suddenly afraid of trying new things that might break something.

The techlash is real.  Human beings are realizing that for all the great gifts tech has given us, there are serious costs. The pendulum has swung too far. Big Tech companies aren’t the only source of trouble, but they are a good place to start. Tech companies are so large they don’t really have to answer to anyone right now.  Facebook paid a $5 billion fine for ignoring a consent decree with the Federal Trade Commission and…didn’t really change anything. It’s time to draw some boundaries around the monoliths.  As Harvard’s Francella Ochillo said to me in my recent docu-podcast, Defending Democracy from Big Tech, while we keep arguing about the details, these firms are making billions of dollars.  We want techland to be free for competition. To do that, we’re going to have to break (up) a few things.  So what? We’re on iPhone 13. The beta version of tech reform might not be perfect. That’s shouldn’t stop us. The cost of inaction is far too high. I’m here for v2.0, and 3.0 and … 13 pro! You should be, too.

*Free shipping isn’t free, of course.  Prime costs money!  The cost is built into the products you buy.  As with Uber, the price is being (temporarily) subsidized by investment money, which is another way of saying it’s a Ponzi scheme. Also, Amazon drivers live awful lives because of Prime.  There’s all that cardboard. “Free” is never free.