Fifteen years ago, Stuxnet demonstrated that getting to the Engineers’ Workstations can cause devastating damage. Three years ago, SolarWinds showed that malware could be inserted into the update cycle. Two weeks ago, CrowdStrike demonstrated that Engineers’ Workstations are still cyber vulnerable to automatic updates that are fully trusted. It was evident that OT (and IT) didn’t follow their own change management policies by not testing the update before installing the automatic update. OT should have waited at least several days to ensure the update did not affect IT systems before implementing the upgrade in an OT environment. If the OT (and IT) community want to utilize zero trust, you can’t automatically trust auto updates like CrowdStrike.The significant concentration of few IT and control system vendors increases cyber fragility whether from unintentional incidents or malicious cyberattacks. OT issues continue to receive less attention than IT. The recent CrowdStrike event has continued to place the focus on IT systems, and OT risks continue to be overlooked by the cyber defenders.
