Having spent several years securing downstream oil infrastructure from cyber attacks, I can confidently say that traditional IT approaches to cyber security do not translate well into OT environments. We can spend a decade trying to force that square peg into a round hole, or we can do something different. After all, have those IT approaches even worked in IT?...

In this talk I'll take you through several lessons we learned out in the field, securing critical OT infrastructure. We'll talk about how went about securing OT networks, how we utilised zero day vulnerabilities to our advantage, why we don't consider patching systems to be that important, how we handle topics like security testing, and how to implement effective detection capabilities all without disrupting operations or compromising safety.

This talk is us learning out loud in the field of OT security, sharing our experiences in order to contribute to collective shared wisdom. I hope to leave you with some insights and examples from our own journey that you can take away and use on, and maybe challenge, your own approaches to OT security.