Dale Peterson reflects on why there seems to be so little interest in secure coding within the operational technology (OT) community, even though it’s a crucial part of building secure systems. He points out that even when excellent presentations on secure coding are offered—like those at the S4 security conference—they’re often poorly attended, especially by people working directly in OT security.

One example he gives is a talk about how simply switching to "memory safe" languages like Rust isn’t a magic fix. It was a thoughtful presentation, but very few OT professionals showed up to watch it. The people who did watch it later on YouTube were mostly software developers, not the OT audience the talk was aimed at.

Peterson thinks there are two main reasons for this lack of interest. First, many people in OT don’t see themselves as developers, so they assume secure coding isn’t their responsibility. But he argues this is a mistake: even if you don’t write code, understanding the basics of secure development helps you make better decisions when choosing products or vendors. You can ask better questions and demand better practices.

The second reason is the weight of legacy code. A lot of OT systems run on very old software, and the common excuse is that it would be too expensive or disruptive to rewrite it. Peterson doesn’t buy that. He says it’s understandable that you can’t fix everything overnight—but vendors should have a clear plan for how they’re going to modernize their code over time, especially the parts that pose the biggest risks.

In the end, he’s calling on the OT community to stop using these excuses. Secure coding isn’t just for developers—it’s something everyone in the chain needs to understand and support if we want more secure industrial systems.

‍

Source: https://www.linkedin.com/pulse/why-little-secure-coding-interest-ot-dale-peterson-hegoc/?mc_cid=839eb601a2&mc_eid=71dc4a5963