Full Report
At the S4x25 event, Dale Peterson sat down with Paul Griswold, former chief product officer at Honeywell, for... The post S4x25 fireside chat: Dale Peterson and Paul Griswold discuss evolution of ICS security appeared first on Industrial Cyber.
Analysis Summary
# Industry News: Candid Assessment of ICS Security Progress and Adoption Gaps
## Summary
A recent fireside chat between Dale Peterson and former Honeywell CPO Paul Griswold revealed that while Industrial Control System (ICS) vendors are improving "secure-by-design" principles, a significant gap persists in the actual adoption of advanced security features by asset owners and integrators. Key barriers include cost sensitivity, operational familiarity overriding best practices, and fragmented regulatory compliance driving check-the-box efforts rather than genuine security posture improvement.
## Key Details
- Date: Not explicitly stated, but occurred recently at the S4x25 event.
- Companies Involved: Honeywell (as context for Griswold's background), and the broader ICS vendor/asset owner ecosystem.
- Category: Industry Analysis / Expert Commentary.
## The Story
Dale Peterson interviewed Paul Griswold, focusing on the current state of ICS security following Griswold's tenure at Honeywell. Griswold confirmed that ICS vendors are making strides by embedding security earlier in the product lifecycle. However, the conversation highlighted a major stumbling block: the adoption gap. Despite vendors providing secure deployment guides, leveraging advanced security features like embedded firewalls or secure protocols (e.g., SIP security, secure Modbus) remains low, often below 10% in new deployments. This stagnation is fueled by asset owners prioritizing operational familiarity and cost sensitivity over robust security implementation. Furthermore, system integrators are often circumventing best practices, and compliance frameworks (like CRA or IEC 62443) risk becoming minimal, "check-the-box" exercises rather than drivers for substantive security enhancement. Securing aging legacy systems remains an active, complex challenge.
## Business Impact
### For the Companies Involved
- **Vendors (like Honeywell):** They face pressure to not only build secure products but also to actively push for and sometimes subsidize the adoption of those features, especially as integration complexity and legacy support costs rise.
- **Asset Owners:** Those who resist adopting advanced security features face increased risk exposure, potentially leading to higher incident response costs or future compliance penalties.
### For Competitors
- Competitors who can most effectively translate regulatory requirements (like the CRA) into simple, cost-effective, and operationally seamless security packages for integrators might gain market share, particularly in greenfield projects.
### For Customers
- Customers benefit from incrementally more secure products but will continue to struggle with inconsistent security postures within their operational environments due to implementation gaps by integrators or resistance to configuration changes.
### For the Market
- The market confirms that **security maturity is currently bottlenecked by implementation and culture, not solely product availability.** This suggests sustained demand for specialized integration services focused purely on security enforcement, rather than just operational setup.
## Technical Implications
The low adoption rate (under 10% for some advanced protocols like SIP security) confirms that **operational technology (OT) security is currently more about governance, configuration management, and operational friction reduction than breakthrough technology development.** The reliance on "overlay technologies" for legacy remediation suggests that deep architectural security upgrades are still not the norm.
## Strategic Analysis
- Market Positioning: The industry is positioned between high-security aspirations (driven by vendors) and low-adoption reality (driven by operations/cost). Vendors succeeding strategically will be those that simplify the secure configuration process for integrators.
- Competitive Advantage: Advantage will accrue to companies that can definitively link security spending (Griswold's 10-15% estimate) to demonstrable operational uptime, rather than just compliance boxes checked. For integrators, expertise in enforcing secure-by-default settings will become a differentiator.
- Challenges: Overcoming cultural inertia, budgetary conservatism among asset owners, and the fragmentation caused by numerous regulatory standards remain the dominant challenges.
## Industry Reactions
- Analyst opinions suggest this candid feedback validates existing concerns that the OT security maturity model is stuck in the "implementation" phase, despite significant advances in "product security."
- Expert commentary points to the need for clearer regulatory mandates that penalize *non-use* of available security features, not just *non-availability*.
## Future Outlook
- We expect increased vendor focus on developing solutions that make secure configurations the *default* and insecure configurations actively *difficult* or impossible to select, perhaps via automated provisioning tools.
- Watch for how the European Cyber Resilience Act (CRA) directly impacts integrator behavior and how vendors respond to the pressure to provide cost-effective security retrofits for legacy support mandates (e.g., Siemens 2040 support).
## For Security Professionals
Cybersecurity practitioners tasked with defending ICS environments must recognize that securing the operational environment often requires auditing and potentially overriding configurations set by integrators, as these frequently default away from vendor security recommendations. Training and strong governance over the integration process are now paramount.