It’s almost a trope now - there is a ubiquitous thing that happens in Dragos corporate chat every time there’s a major power outage or industrial accident anywhere:

“X just exploded. Prepare to handle inbound cyberwarfare questions!”

Always happy to help, but let’s chat: (1/x)

We are typically already looking into it or starting to look into it in tandem, but so many of our analysts often get pulled into fighting FUD and mistaken speculation from high profile pundits that we also have to prepare and plan for that too.

Most industrial failures (even bizarre ones) are statistically simply due to accidents or equipment malfunctions. It’s interesting that cyberattack is so many people’s first fear these days. Especially when organizations still have trouble budgeting for security.

Commodity, advanced, and insider digital attacks absolutely can and do happen in OT and do cause damage to industrial systems - and that definitely needs to be planned for and deterred. But the shift in public perception to the first assumption being attack is really astounding!

Anyway, unless it’s an organization they’re actively doing security monitoring on (and then they’re probably under NDA), there are very few who can reliably confirm a cyberattack as a root cause in the first hours after something bad happens. That’s so early in triage and IR.

In an industrial incident, step one is life and safety - containing and mitigating the problem. Saving lives and equipment. Restoring critical services.

That’s why planning for *consequences* is so important in OT security, rather than doing cybersecurity in a vacuum. (End)