Review: Engineering-grade OT security: A manager’s guide

Andrew Ginter is a widely-read author on industrial security and a trusted advisor for industrial enterprises. He holds a BSc. in Applied Mathematics and an MSc. in Computer Science from the University of Calgary.

He developed control system software products for Hewlett Packard, Agilent Technologies, and others and IT/OT middleware products for Agilent Technologies and Verano. He currently works as a VP of industrial security at Waterfall Security Solutions.

He has previously written “SCADA Security: What’s broken and how to fix it” and “Secure Operations Technology”. “Engineering-grade OT Security” is his latest book.

Engineering-grade OT security: A manager’s guide

Ransomware attacks on manufacturing and critical industrial infrastructures have been growing in frequency and severity in the past few years, and show no sign of stopping. We learn this as the author details the most common attacks on OT/industrial control systems.

“Worst-case consequences of compromise define the difference between most IT and OT networks. Consequences on IT networks are generally business consequences, while OT consequences are very often physical,” Ginter writes in the introduction.

Physical consequences – caused by earthquakes, explosions, and cyberattacks – can be avoided by implementing engineering-grade protection to OT systems, not only IT-grade approaches.

In this book, the author tries to answer the question “How much [of both] is enough?” and explains that the answer actually lies in the consequences of compromise that will “drive the decision process”. This decision process will also depend on a new cyber risk model, which determines appropriate levels of protection for different systems.

Ginter explains how cybersecurity practitioners view OT systems protections differently than engineers. Other than using different tools, they also have a different approach to cyber risk and how much is “acceptable” and “reasonable.”

He introduces the reader to the differences between security engineering and network engineering protection techniques and their role and importance in securing OT systems. Ginter also emphasizes the importance of communicating any decision throughout the organization.

The book concludes with two appendixes that offer common security approaches, technologies, and best practices for securing critical industrial infrastructures.

Who is it for?

The content is easy to read and primarily suitable for a universal audience, only occasionally becoming technical. In this case the author suggests certain readers skip specific chapters based on their level of knowledge.

To help those unfamiliar with certain cybersecurity terms (i.e., vulnerability, ransomware, zero trust, encryption, etc.), throughout the book Ginter also provides clear definitions.

Engineering-grade OT security is aimed at cybersecurity and engineering experts, but also non-technical readers who want to know more about OT cybersecurity and security engineering. It provides guidance on how to define a protection plan for an organization by considering cyber, physical and legal consequences.