Same Song, Different Verse – S4 Conference and the Roman Empire
It's late June, and the S4 conference, arguably the largest ICS/OT Cybersecurity conference in the industry, is currently accepting submissions for papers and presenters. It's nighttime, and although this time is typically reserved for reflection or deep thinking, tonight I'm contemplating what topic I might submit for the upcoming S4 event that would capture the attention of attendees interest.
Back in 2022, I found myself in a similar situation, brainstorming ideas for a colleague of mine, Mark Carrigan. That evening, I watched a History Channel show about the six infamous sacks of Rome, which inspired Mark’s paper titled “How Many Times Was Rome Rebuilt?” He submitted that paper to the S4 conference, and it was later selected. You might be wondering why I'm sharing this story. Well, that same show about Rome being rebuilt is back on TV tonight, and there are a lot of similarities between then and now. As Mark Twain said, “History does not repeat itself, but it rhymes.”
In 2022, I attended Mark’s presentation at S4 and thought he did a great job. However, our conclusions on the topic differed somewhat. Mark argued that as the Roman Empire expanded, its defenses became overstretched. He drew an analogy to companies in the heavy processing industries, suggesting that as they advance in their digital transformation journeys, they become increasingly difficult to defend. Essentially, the more these companies grow digitally, coupled with their need for lower-level data, the harder it becomes to protect their critical assets — much like Rome, which became harder to defend as it expanded.
While I didn’t disagree with Mark’s interpretation or conclusions, it wasn’t the point I had envisioned when I came up with the title for the paper. My intended point was that no matter how vast or well-defended you are, there will always be someone willing to challenge you. Being large and strong might deter smaller adversaries, but it can also make you a target worth taking for more advanced foes.
I planned to discuss the sacks of Rome from three main angles. Firstly, they didn’t happen by accident; economic and political situations created opportunities for successful infiltrations. Secondly, while splitting resources may make governance easier, it also weakens your defensive position. Thirdly, not all attackers come from the outside; internal threats can be just as dangerous.
Economic and Political Situations
Even as Rome faced external attacks, it was also collapsing from within due to multiple financial crises. Constant wars and overspending had significantly drained its reserves, while heavy taxation and inflation widened the economic gap. With its economy in decline, the empire began to lose its grip on its inhabitants.
This is not a political post, but discussions about economic inequality and the economic divide seem to be globally ubiquitous. Coupled with rising inflation in key areas like motor vehicle insurance (up 20.60%*), transportation services (up 9.90%*), baby food and formula (up 8.80%*), this can create uncertain and trying situations – *percentage figures from Forbes. If you look at the risk equation, Risk = Likelihood x Consequence, it’s easy to see how uncertain situations and turmoil could increase the likelihood of adverse events.
Splitting Resources
The fate of Rome was significantly impacted in the late third century when Emperor Diocletian divided the Empire into two halves: the Western Empire, governed from Milan, and the Eastern Empire, governed from Byzantium. While this division made the Empire more manageable in the short term, over time, the two halves drifted apart. East and West failed to cooperate effectively against external threats and frequently argued over resources and aid.
I started my operational technology career in the mid-1990s, a time when IT and process automation often didn’t get along. This animosity persisted throughout most of my professional life. I remember when customers purchased Automation Integrity (or its predecessor, Doc3000), and my job was to install the product at industrial facilities. During the onsite deployments, one of the first questions I would ask was about the network from which users would access the software. Inevitably, the most efficient network wasn’t chosen because it was managed by another group (IT). We often sacrificed daily ease and convenience to avoid conversations with other departments within our own organizations. Thankfully, the division between IT and OT is closing due to IT/OT convergence. However, I see another emerging divide between site resources and corporate teams. These teams must work more closely together if we hope to reduce cyber and operational risk effectively.
Internal Threats
Odoacer, also known as Odovacar, was the first king of Italy. He was a soldier in the Roman army who rose through the ranks to become a general, Odoacer deposed the Western Roman emperor Romulus Augustulus and ruled Italy from 476 to 493. His overthrow of Romulus Augustulus is traditionally considered the event that marks the end of the Western Roman Empire.
Government coups, hostile takeovers and malicious insiders aren't new. These threats have existed since the beginning of time. No government, organization or company is immune to them. I would argue that insiders pose the greatest threat to OT environments. They bypass most security controls and are usually seen as trusted resources. Yet, surprisingly, the malicious insider isn’t my biggest concern.
You might think that sounds contradictory. How can insiders be the greatest threat, but the malicious insider isn't your biggest concern? It’s simple: the engineer or technician doing their job but making a mistake, like a typo, taking something out of service without fully understanding the impact, or lifting the wrong wire, is far more likely to cause problems. This is much more probable than someone successfully bypassing numerous security layers or an employee becoming so upset that they intentionally cause harm, especially at the OT layer. From a probability standpoint, an engineer making a change that negatively impacts a process is far more likely than an external threat or malicious activity. Few cyberattacks successfully penetrate down to the OT layer, and there have been few documented cases of disgruntled employees taking actions against the ICS environment. However, there are numerous instances every year of well-intentioned individuals changing ICS configurations and causing process upsets or unit trips.
Just this week, I was discussing this with a group of industry analysts from a research firm. One of them said, "Nick, I agree with you, but our audience is security people, and they want to hear about security problems. We agree it's far more likely to have a change that negatively impacts operations than an external cyberattack, but our audience doesn’t want to hear that." My response was, "Fine, let's talk about detecting changes regardless of intent and how to account for that in our work processes, recognizing that the consequences are the same." If we want to start taking OT risk reduction seriously, we can’t get fixated on intent. We must focus on the likelihood or consequence. Going back to the risk equation, Risk = Likelihood x Consequence: if the consequence of an inadvertent change has the same effect as a cyberattack, causing the process to go down, and the likelihood of an inadvertent change is exponentially greater than a successful external attack, then the answer is clear on where we should focus. It might not be the popular answer, but it’s the honest and direct one.
Conclusions
To conclude, I thought I would summarize my findings in bullet points:
- Any company with ICS equipment is a target, regardless of size — sometimes intentionally, other times by happenstance.
- As social and economic situations change, we must adapt our security posture accordingly.
- We need to work as a team — not just IT and OT, but also site and corporate — if we hope to address bigger security challenges.
- The greatest threat to OT isn't a hacker or a rogue employee; it's the person trying to do their job with limited tools who makes a simple mistake.
- To genuinely reduce risk in OT environments, we must move past the fear, uncertainty and doubt generated by vendors, media and analysts, as their agendas might not prioritize actual risk reduction.
Ready to learn more? Discover What's New in OT/ICS Cybersecurity.