Andrew Ginter of Waterfall Security Solutions argues that OT security programs must be stronger than IT - not just different - and connects 50-year-old cybersecurity theory to modern practice including SEC-OT and CIE mitigations.
Operational technology security programs are routinely weaker than IT programs - not because anyone intends them to be, but because the most common differences between the two environments - difficulty patching, encrypting, scanning - reduce OT security strength by default. Yet the worst credible consequences of OT failures - mass casualty events, collapsed infrastructure, physical destruction - demand programs that are materially stronger, not weaker. A 50-year-old theory called Biba explains exactly why, and most of the industry has ignored it.
This session, led by Andrew Ginter of Waterfall Security Solutions, will cover:
- Why worst credible consequences - not tool parity with IT - should determine the required strength of an OT security program;
- How Biba's 1975 sabotage-prevention theory fundamentally reframes OT security goals from protecting information to preventing attack information from entering systems;
- What a data flow inventory, hardware-enforced unidirectionality and deny-by-default policies look like when applied as second-generation OT security practice.
Here is the course outline:
How Should OT Security Differ From IT? |
Completion
The following certificates are awarded when the course is completed:
![]() |
CPE Credit Certificate |
