Unfortunately lots is being written on this subject (OT Security) and not all of it is really "helpful",
In my mind only, this gent took something that we commonly use in IT and is trying to apply it to OT (ICS/SCADA/etc.). Doing this, MIGHT prepare one for a job in IT and maybe an entry level into Security but definitely not into OT.
Let's look at OT and some of the real issues associated with it:
The lifespan of OT (ICS) systems. Most systems that sit at Level 0 of the Purdue model (https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture) were built to last and not change due to required uptimes, the cost and the risk. in running some applications, the required uptime for these systems is 99.99%
Airgaps are gone. In the past, these systems were air gapped and we used what we now call sneaker net to transfer data. However with the adoption of newer technologies the value chain has changed and not we find these systems sitting on corporate networks.
There are other risks associated with these devices.
As one moves up the Purdue Model and start looking at Level 1 and 2, we see IT-OT converging, thus seeing new technologies increasing the risk. As digital transformation breaks down IT-OT barriers, advancements in networking and data analytics reshape processes, and new sophisticated cyberattacks appear, ICS frameworks are slow to adapt.
I strongly recommend anyone who is increased in OT Security, first learn about networking, basic security topics before even attempting to secure an OT environment.
Several great courses are available from SANS (and they have a certification for it). Another course, but I believe enrollment is from Idaho National Labs/ Also check out https://www.cisa.gov/ics-training-available-through-cisa
d
