S4x24 kicks off, as Dale Peterson provides a new perspective on industrial cybersecurity

The premier event in the industrial cybersecurity sector, S4x24, commenced on Monday at the Loews Miami South Beach in Florida, drawing a large crowd of industry experts, vendors, and enthusiasts. Dale Peterson, the founder of S4xEvent and CEO/catalyst at Digital Bond, inaugurated S4x24 on the Main Stage with an engaging introduction to this year’s theme, ‘Believe’.

“The attacker just has to succeed one time, while the defender has to stop all attacks. Who can really believe they’ll be perfect,” Peterson said in his speech. “I see many OT security professionals. Some of you in this audience give conference presentations, webinars, white papers on a growing number of ominous-sounding adversaries and attacks.” 

He added that “perfect shouldn’t be our measure. There are too many people making mistakes, too many latent vulnerabilities in our products, too many players in our supply chain. I can’t believe that I can stop every attack against a computer switch PLC sensor actuator from ever succeeding. We need different metrics.”

He also highlighted that “we need metrics and stories that highlight success and feed the belief that we can succeed. Not a false success. But when we succeed, and we often do, we shouldn’t just brush it aside until we wait till the next time we can hype up failure.”

Pointing to the increasing requirements for reporting cybersecurity incidents to governments and industries, Peterson said “We could have a similar rate where we said total reportable OTCI rate incidents, the ones we have to report multiplied by the number divided by some unit of production. The US Security and Exchange Commission, the SEC, the US department that regulates public companies.” 

In December, the SEC issued a requirement that public companies report cyber incidents that would have a material impact on the company, an impact that could affect the stock price. 

Peterson added “that we’re three months into this reporting requirement right now, and there haven’t been any reported incidents that have affected OT and operations. It seems that many of us public companies are succeeding with OT cyber risk. The things we highlight, even I might say celebrate these OT cyber incidents.”

He said “One way that you can start to believe that you can succeed at OT cyber risk management is to look at outages due to cyber incidents as a percentage of all cause outages. Create the pie chart. How big is that cyber incident slice in the water sector? In the US, it would just be prompts. The same is true in the US electric sector where we have even better data.” 

“The US Energy Information Agency puts out a metric called safety. It’s system average disruption duration interruption index,” Peterson added. “Simply say that it is the amount of time the average customer is without power for a year. We don’t have the 2023 data out yet, but in 2022, the average customer in the US was without power for 333 minutes. 200 of those minutes were due to major weather events. Zero or near zero of those incidents were due to cyber incidents.” 

Peterson plotted that a similar manufacturing or outage pie chart manufacturing would not look so good. “Ransomware has caused a number of incidents in manufacturing in 2023. A Clorox manufacturing outage pie chart might look like this. This is not a real pie chart, but Clorox lost 26% of their manufacturing capacity in the third quarter of last year due to a cyberattack, and they were one of many companies that faced that. Another sector that didn’t do so well in 2023 was hospitals. Cyber incident outages would be at least a small slice of the hospital service time outage pie,” he added.

In the OT security community, Peterson said “We’ve been fighting realities and beliefs. The reality, in many cases, has never happened before. Many organizations and many companies have never suffered a major outage or other impact to OT operations due to a cyber incident. And for years, over a decade, there’s been a belief that this immunity to the OT security drug would continue.”

With this belief, it’s very understandable that many OT security professionals traffic, and if you’re a product or service vendor trying to sell to a potential customer, they need to believe there’s a threat. “And if you work for an asset owner and you’re trying to create an OT security budget or grow it, media hyping up the latest OT cyber incident helps. And you can say, here’s why we need this product. Here’s why we need to hire these people. We’re passive.” 

“We are at a point where the perceived OT cyber risk actually exceeds the data-determined real risk. Like a poorly tuned control loop. We’ve overshot our desired set point. It’s time to dampen the funnel and use that real data to define, measure, and address OT cyber risks,” Peterson said. “Can we be mature and professional enough, pull back from the FUD and, recognize when we’re succeeding, and live with the fact that sometimes we will fail, and that’s okay. Now, there are some unacceptable consequences, and that’s where your unhackable safety and protection systems come in.”

Addressing the external factors that are expected to influence or disrupt business strategy next year, Peterson said that 25 percent said, cyberattack or cyber risk. “Now, this is higher than weather, environment, supply chain, and a lot of other things. And up over 8% over 2022. We are at a point where the perceived OT cyber risk actually exceeds the data-determined real risk. Like a poorly tuned control loop. We’ve overshot our desired set point. It’s time to dampen the funnel and use that real data to define, measure, and address OT cyber risks.”

Speaking at an S4x24 session, Kence Anderson, CEO at Composabl said that AI is coming, and in some ICS, it is already here. Anderson dives into what autonomous AI is and isn’t, how it is improving ICS operations and businesses today, the changes it introduces to the systems needed to defend, and provides some thoughts on how autonomous AI will require cybersecurity and risk management programs.

“Autonomous AI is artificial intelligence, or machine intelligence that can control and optimize equipment in real-time, that can make real-time decisions with more human-like decision making. That’s the kicker,” Anderson said. “With more human-like decision making, every time I go to one of your companies, or an industrial company or OT company, and I look at a process and folks call me in and say, I need you to design an AI for this system. It’s always about more human-like decision-making.”

And, he added “that is actually the key to some of the areas and focus areas that you’re going to need to think about as you secure this environment.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.