Quantifying Risk Reduction Achieved By OT Security Controls
Jake Gentle
S4x24 - ICS Security Conference · Day 3 · Stage 2
Jake Gentle's presentation at S4 tackled a critical blind spot in current cybersecurity risk assessment methodologies, particularly within **Operational Technology (OT)** environments: how to quantify risk for assets that lack published vulnerabilities. Traditional risk models heavily rely on **Common Vulnerabilities and Exposures (CVEs)** and **Common Vulnerability Scoring System (CVSS)** scores. However, in OT, where assets have exceptionally long lifespans, receive infrequent updates, and are often sourced from a vast and sometimes obscure vendor landscape, many devices present with "zero vulnerabilities" – leading to a dangerous perception of "zero risk."
AI review
Gentle's presentation tackles the critical 'risk zero' fallacy in Operational Technology (OT) environments, where the absence of CVEs leads to a dangerous underestimation of risk. The proposed methodology introduces a novel, structured framework to quantify inherent risk for OT assets by systematically evaluating vendor security posture and device-specific attributes. This is a substantive defensive innovation with significant practical impact for critical infrastructure, offering a pathway to move beyond reactive, CVE-centric assessments to a proactive, attribute-based approach.