There is no doubt that complex industrial control systems need to be secured, but what is holding us back from achieving even a minimum level of security? ICS cybersecurity firm Dragos explores five misconceptions that might be inhibiting your organization from reducing risk to your ICS environments:

1. There Aren’t Many ICS Threats. Compared to publicized attacks against IT, the ICS threat landscape indeed lacks public visibility, but that does not mean successful attacks are not occurring. Many observed ICS attacks remain undisclosed for public safety reasons. Likewise, many organizations lack visibility of attacks due to insufficient monitoring and threat detection capabilities within their own OT networks.
2. The ICS is Air Gapped. The air gap has largely disappeared within most ICS environments. While some organizations may have been able maintain an air gap, it is not without its challenges. You may be successful at maintaining an air gap, but from a security perspective it is best to secure ICS systems as if you did not have one – the air gap is just one layer of security, it does not replace security.
3. Availability Comes First in OT. The “CIA triad” (confidentiality, integrity, availability) is often turned into a prioritization list, where ‘A’ comes first in OT. As Dragos points out, many cybersecurity veterans refer to this triad as a three-legged stool, where each bears an equal load. In OT environments, there is no argument that availability is a core tenant, but it should not overly dominate. With safety being the ultimate goal, it is difficult to achieve safety at the sacrifice of ‘I’ (integrity).
4. You Can Always Safely Scan ICS. Dragos asserts there has been a paradigm change toward the belief that ICS can always be scanned for vulnerabilities. Modern systems have been designed to tolerate scanning, but legacy systems still exist that make this a misconception. Indeed it is a fine line to balance as we still need to discover and patch vulnerabilities. The key to scanning your network and not bringing down an ICS is to know your environment for what is scannable and what needs to be excluded.
5. IT Tools Can Detect Most ICS Attacks. OT/IT convergence has come a long way, both in terms of teams and technology, but OT environments are still unique, especially in the way devices communicate. For IT teams who find themselves with more OT responsibilities, it is imperative to leverage OT engineers and their knowledge of the control systems to better understand what can and cannot be detected with traditional tools.

Read the full post at Dragos