ICS Werewolf myth

ICS Werewolf: Slaying ICS Mythical Creatures, Part 3

Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela

Part 1 of the series saw us slaying the toxic manifestation of what the ICS Unicorn had become, and in Part 2, the dreaded ICS Basilisk met its ruin. In the third and final part of our series, we take on the snarling ICS Werewolf — and the idea that all you need is a “silver bullet.”

The same disclaimer from our previous tales in this series can be applied: This isn’t a judgment on the past or a callout of any one person or group’s mascot, but rather a look to the future.  

For each mythical creature in this series, we’ve covered:

  • The Creature: What it represents
  • The Reason: Why it was necessary in the past
  • The Manifestation: What this beast has become now
  • The Actions: 3 things you and I can do to create a better future

Time to Slay ⚔️ The ICS Werewolf

An average human being during the day, but at night, under a full moon… 🐺 a transformation. But that’s not as interesting as the ICS Werewolf’s weakness: the silver bullet. We in the industry hear silver bullet solutions a lot, but how did we get there? Why do we need silver bullets at all?

ICS Werewolf myth

As the industry started to gain recognition and the problem statements were better understood, we began to transform.

🌕 On a full moon, innocent technologies, methodologies, and guidelines would turn into “silver bullets” that could kill or cure any ICS cyber issue.

The industry needed help from all parties; here’s how the ICS Werewolf came to be.

The Reason

Honestly, we started off strong. ICS cyber security quickly picked up on some key areas of importance for operations.

From a solution side of things, there were 3 main areas where contributions were made.

ICS Werewolf reason

Operational Empowerment

Early on, we gave up on one-size-fits-all solutions to operational problems and focused on areas where we could provide security and operational value.

This came in many forms, but under the banner of “you can’t just apply enterprise security concepts directly to ICS.”  

Increased Engagement

The ICS security community was given the opportunity to engage more with the industrial operations of the organization. Some of this was through forcing factors like regulations or industry pressure, but increased engagement between IT and OT began to take hold.

For some folks, this expanded gaps in understanding and communications, but for most, it was a positive (albeit slow) experience. Everyone had ideas and solutions to the problem, and they were mostly welcomed.

Risk-Based Approaches

Even our approaches were based on risk, with additional focuses on safety and reliability. It was a utopia, or so it seemed. 

There was a bad moon rising…

The Manifestation

The community of practitioners who provided technologies and services started to transform right before our eyes. The common sense “meat and potatoes” approach to industrial security changed into one that became overly focused on specialization, more hype, and the dreaded silver bullets.

While there are no true silver bullets, operators do need something to combat real beasties.  

Here are the concepts we need to slay to put more power back into the hands of operators and properly arm them for battle.

ICS Werewolf manifestation

Specialized Tools

Overly-specialized tools or tools that can only be wielded by the few (harkening back to the ICS Unicorn myth). This is compounded by the fact that these solutions can be so overly specific as to not work in most cases.

It wasn’t just silver bullets that could function in any firearm, but specialized firearms and other mysterious methods for operation.

Over-Hyped Threats

The threats are real, and the community was ready to apply resources to the solution. So why all this howling at the moon? It’s twofold: The listener is fatigued by all the scary monsters, so the ICS Werewolf must gnash its teeth and howl even louder to be heard.

Maybe they now have to howl on the news, at conferences, on social media, and in front of Congress to get more and more attention. Russian APTs are a threat! Buy our Russian APT detector!

Cure-All Antidotes

But again and again, the operator is left out of the conversation. Not only were they being served over-specialized tools, but whiplash occurred when “one-size-fits-all” solutions hit the market.

AI-powered in the cloud solutions and fancy services overwhelmed a market that was once again yearning for genuine engagement.

What the ICS Werewolf was missing:

👉 Operators Know What Goes Bump in the Plant Better Than Anyone Else

Our job as a community is simply to empower them.  

The Actions

So what can we do to slay the ICS Werewolf and the mythical silver bullet?

ICS Werewolf actions


Each day should be an opportunity to teach someone something new. Are you a security operator? Teach someone practical security. Industrial operator? There are many of us interested in the processes you maintain.

Not in a position to teach someone? Learn. A cyber security professional with a love and understanding of industrial processes makes mystical cure-alls obsolete.  

Next Week: EXPAND

If you are in an industrial organization, push for opportunities to visit/shadow other processes within the group.

Chris Sistrunk tells folks to bring donuts to the control center and just talk. While it may not be that simple, donuts can be a great equalizer. Bring a box and an open mind, and be ready to learn. 🍩


Silver bullets exist because there is still hesitation to share what we’ve learned in the greater community. In my experience, that hesitation is because it’s often counter to current culture.

Exposure to each other’s operating environments dispels the myths we’ve built about each other, and that wisdom needs to be shared — even if it makes us uneasy.

ICS Mythical Beast Slaying Summary


“For all your days be prepared, and meet them ever alike. When you are the anvil, bear — when you are the hammer, strike.”

~Edwin Markham

There are many, many more examples out there… too many to list. With many more to come. What memes will be made at S4x32 about the current topics of the day?

Our collective knowledge to defeat these creatures is more powerful than any single person or organization may think. And while initial trailblazers are necessary for establishing the path, the ghost stories and tall tales of yesterday are no longer necessary.

But how do we unite and learn from this and from each other?

ICS Mythical Beasts
A triad of ICS Mythical Beasties

👏 Mythical Creatures Past, Present & Future Can Be Slain When We Work Together 👏

We Each Have a Role to Play

ICS groups that slay together, stay together
Those that slay together, stay together

Any single group is not as effective as the whole.

Not one side can win entirely on its own.

  • Big industrial manufacturers, the product security teams in the trenches.
  • Operators (security and industrial) trying to defend environments the best they can.
  • Advisors who have the external view, with knowledge of past assessments, testing, architecture review, and everything in between.
  • Security vendors providing the tools and solutions needed to defend at scale.

As we close out this series, I hope you find inspiration to learn and empower others. Seek out the helpers in the community. 

Trying to be just the hero is easy (and lonely), but being a hero-maker is lasting. There are real problems to solve out there, and each of us has something unique to bring to the table.  

Together We Can SLAY ⚔️🦄⚔️🐉⚔️🐺⚔️

~Ron 💜🚀

P.S. — Prefer your blogs in video form? Check out the recorded session from S4x22 with Ron covering this topic (in Crocs)