Our Platform

    Protect and safeguard your OT network and operations with the industry's most advanced, most capable cybersecurity platform.

    Learn More

      icon for visibility

      Asset and Network Visibility

      Discover and visualize every asset and every network connection in your OT environment.

      icon for policy enforcement

      Policy Enforcement

      Segment your network and enforce granular policies for true Zero Trust cybersecurity.


        Anomaly and Threat Detection

        Identify unexpected or unauthorized activity, from Level 0 signals to cloud connections.

        icon for signal integrity

        Signal Integrity Validation

        Monitor physical process signals to detect threats and prevent system damage.

          Mission Secure Platform Overview

          Learn More


            Keep your organization secure against cyber threats and take control of your OT network.

            View All Industries

              A Comprehensive Guide to Maritime Cybersecurity

              Learn More


                Find helpful OT and ICS cybersecurity resources, guides, and downloads.

                View All Resources

                  eBook: A Comprehensive Guide to OT Cybersecurity

                  Read More

                    About Us

                    Our team of world-class OT, IT, and cybersecurity experts are setting the standard in OT cyber-protection.

                    Learn More

                      Cyber Risk: From a Hacker's Point of View

                      Listen Now
                        4 Min Read

                        “Known Good” vs “Known Bad”: Choosing a Starting Point for OT Cybersecurity

                        Written by Mission Secure

                        “Known Good” vs “Known Bad”: Choosing a Starting Point for OT Cybersecurity featured image

                        There are many ways to separate cybersecurity solutions into categories. For example, you can separate them based on where they take action (network vs endpoint), where they reside (cloud vs on prem), or how they're deployed (hardware-defined vs software-defined). Another useful distinction is to look at whether security tools take a “known-good” or “known-bad” approach to identifying potential threats.

                        The known-bad approach is based on malware signatures, threat intelligence feeds, known attack patterns, and other common indicators of malicious activity. When something (network traffic, user behavior, application activity, etc.) matches a predefined set of malicious or unsafe conditions, it's considered a possible threat. This approach is fundamentally reactive.

                        The known-good approach, on the other hand, is fundamentally proactive. This approach starts by defining the expected behavior of users, devices, and applications, and treating any deviation from normal as a potential threat.

                        Any effective cybersecurity strategy will incorporate elements of both approaches. But when implementing policies (for example, policies that define when to generate alerts or block activity), organizations usually need to choose whether they are taking action based on known good or known bad activity.

                        In most cases, especially in OT and ICS environments, the known-good approach to cybersecurity is simpler to implement and more effective at protecting critical systems.

                        The Never-Ending Fire Drill

                        The known-bad approach to cybersecurity seeks to identify threats by watching for established malware signatures, network attack patterns, malicious user activity, and hardware or software vulnerabilities. All of these have a place in a defense-in-depth security posture. But putting a heavy focus on known-bad activity tends to create an unhelpful state of affairs in OT cybersecurity. 

                        Some security researchers and analysts focus on publicizing every vulnerability they can find, regardless of whether the vulnerabilities could lead to serious consequences or could even be exploited in the real world. The continuous flood of new vulnerability reports makes it difficult for asset owners to know where to start–what is an operator supposed to do when their security provider tells them they have 20,000 known vulnerabilities to address?

                        Intrusion detection and prevention systems also have a tendency to create new work. Even the best IDS and IPS engines create lots of false positives, especially in OT environments where network traffic is fundamentally different from IT traffic and can confuse tools that were designed for the IT world. 

                        The need for continuous updates to signatures, vulnerability lists, and threat intelligence feeds–even when no action is likely to be taken on them–makes "known-bad” focused solutions expensive and time-consuming. Most importantly, this approach is reactive by definition, designed to counteract the threats identified yesterday, rather than anticipating the novel tactics threat actors are planning to unleash tomorrow.

                        Enter the "known-good" approach, a strategy that promises not just simplicity and efficiency but also a proactive defense against the constantly evolving landscape of cyber threats in OT environments.

                        The Benefits of a "Known-Good" Approach for OT Cybersecurity

                        Strategies that start with the definition of "good" conditions can simplify the cybersecurity landscape by establishing a clear understanding of normal, expected behavior in the industrial environment. This simplicity translates to more effective threat detection and response.

                        In IT environments, defining normal activity can be challenging, because humans are unpredictable and often do unexpected things for good reasons. In OT environments, this is less of a concern. One day’s industrial activity is usually expected to be very much like the day before or the day after. Exceptions like maintenance windows are usually predefined as well and can be figured into the definition of normal. Establishing a baseline for normal activity becomes more achievable, making it easier to identify and respond to anomalies.

                        Basing OT cybersecurity policies on known-good activity provides several benefits:

                        • Reducing False Positives: Focusing on known-bad activity often results in a high number of false positives, especially in OT environments where network traffic patterns differ significantly from conventional IT setups. The "known good" approach minimizes false positives by concentrating on deviations from established normal behavior.
                        • Economic and Resource Efficiency: The constant updates required for threat intelligence and vulnerability management solutions, even when no immediate action is likely, can be resource-intensive and costly. By prioritizing the known-good approach, organizations can streamline their cybersecurity efforts, reducing both time and financial investments.
                        • Proactive Security Posture: Unlike the reactive nature of the known-bad approach, the known-good strategy allows for proactive cybersecurity. Instead of safeguarding against yesterday's threats, organizations adopting the "known good" approach are better positioned to defend against emerging threats and those yet to be conceived.

                        Implementing a "Known-Good" Strategy in OT Environments

                        Achieving a successful known-good" cybersecurity strategy in OT environments requires a deep understanding of the industrial landscape. Here are key steps to implementing this strategy effectively:

                        1. Detailed Asset Inventory: Begin by creating an accurate and comprehensive inventory of assets in your OT environment. This includes devices, software, and any components that contribute to the industrial processes.
                        2. Network Traffic Analysis: Understand the flow of network traffic between OT assets. Determine which protocols should be used between specific devices, the types of commands devices should send, and any external connections necessary for normal operations.
                        3. Define "Normal" Activity: Establish a detailed definition of normal activity based on the inventory and network analysis. This definition should cover expected behaviors for users, devices, applications, and even physical process signals from Level 0.
                        4. Guardrails for Anomalies: Set up guardrails that either alert or block activity deviating from the established norms. These guardrails act as the first line of defense against potential threats, making cybersecurity measures more focused and responsive.
                        5. Layering with Threat Intelligence: Treat vulnerability management and threat intelligence tools as additional layers of protection rather than the foundation of your cybersecurity posture. The known-good approach aligns seamlessly with the concept of Zero Trust, reinforcing a holistic security strategy.

                        It goes without saying that cyber threats continue to multiply and grow more sophisticated. The question is, how can OT asset owners take meaningful action to protect their operations against those threats?

                        The known-good mindset is key to developing a proactive and efficient strategy for safeguarding OT and ICS environments. By understanding and defining normal activities, organizations can reduce the complexity of cybersecurity measures, minimize false positives, and establish a resilient defense against emerging threats.

                        To find out how Mission Secure can help your organization implement efficient, effective OT cybersecurity, schedule a consultation today.


                        Interested in learning more? Send us a message.