Let’s start with an analogy familiar to most. The home is probably everyone most valuable asset it contains our passions, pleasures and possessions. We keep it secure, don't we?
When securing a property the initial selection of good quality doors, windows and locks that are proven in the use environment are features of a secure property are a great start; who would buy a house with paper doors? Perhaps a feeling of security comes from the knowledge you have invested in good products, the actual security only come if these features are correctly deployed and tested hopefully by a competent supplier that has in interest in the broader outcome.
No matter how good the supplier, leaving you highly featured property with the windows and front door wide and posting on Facebook how you enjoying your family vacation across in Bali is leaving your property vulnerable.
Now some may not care as much as others, probably those that are closest to the assets will care the most. This degree of care can be related to an appetite for risk. We all know people that are risk takers and others that are risk averse. If there was a line between the two we will all sit on it somewhere.
So back from holiday and the home owner religiously locks the doors and windows reliably every night - depicting a low appetite for risk; however the rest of the family do not - the property remains vulnerable because the appetite for risk is not shared, communicated or somehow enforced across the family. A compromise position often results.
Finally consider the weekend away when your teenager posts an open invitation to a house 'parents away' party on FB, with the best defences money can buy in place, an inconsiderate or worse a disgruntled insider can render them all but useless.
Home owners can invest in increasingly sophisticated security feature (CCTV, intrusion detection) but if they ignore the basics and the culture, vulnerability remains present. If you have considered the vulnerability and accept them you are probably in a good place. This does not mean the threat will not happen, just you are better prepared for if/when it does.
The same is true for OT network security. We have considered design, product and feature selection, configuration and test. In many cases this will be the limit of a well written user requirement specification. The outcome however - vulnerability remains. In other times when the threat actors were largely visible, holding spares, a configuration back up, and having a competent engineer to hand, most threats could responded to. In modern times the threat actors are often invisible requiring specialist skills to identify and remedy them.
IT4A tend to work closely with organisations supporting critical infrastructure, where the safety of the public or national infrastructure is at stake, consequently appetite for risk is low and well managed.