Debate: Are Specialized OT Tools and Talent Required to Detect Attacks on ICS?

At S4x18 we had a lively Main Stage Debate: Enterprise SOC or OT SOC for best handle OT Incident Detection and Response. Dan Scali of FireEye took the Enterprise SOC side and Rob Lee of Dragos argued the OT SOC side. You can see the debate below and decide who won. I should note that Dan now works for Rob at Dragos so perhaps they both won in their own way.

During the Call For Presentations, Steve Miller of FireEye wrote in a proposed session description,

All ICS attacks are regular IT attacks. This is a somewhat provocative statement, but I’d like to highlight how the so-called ICS intrusions are really just intrusions into the IT space that made it deep enough to affect OT things.

I knew there would be some in the ICSsec community that would vehemently push back on that statement and thought why not make that a debate. This lead to a debate entitled:

Are Specialized OT Tools and Talent Required to Detect Attacks on ICS?

Steve is taking the con side … no they are not. So who to get on the pro side … yes they are. It was pretty easy to see that a rerun of the FireEye / Dragos debate is the way to go since this years was so educational and entertaining. Also these two companies are recognized leaders in OT Incident Response.

So who from Dragos to have compete? Rob? Always a good choice, but let’s mix it up. So how about Ben Miller who knows his stuff and always candid and quick thinking on his feet. It didn’t strike me until after I put his name on the agenda that I have two Millers in the debate. So we get to call this debate Millers Crossing after one of my favorite mob movies.