Gartner estimates that by 2023, 75% of organizations will restructure risk and security governance to address converged information technology (IT), operational technology (OT), Internet of Things (IoT) and physical security needs – an increase from fewer than 15% in 2021.
This dramatic acceleration demonstrates the growing understanding OT plays a critical role in organizational cybersecurity. The stats also show, however, that for a majority of companies, this is a significant shift. What does it take to get from point A to point B?
The growing importance of ICS/OT security
It’s important to address why are executives, Boards, and teams on the ground suddenly concerned with the convergence of IT and OT? There are five key factors:
- Increased workforce. Compared to even five years ago, we now have a growing base of skilled ICS security practitioners who are highlighting the risks and importance of OT security.
- Greater governance. Executives and Boards are more engaged and increasingly highlight industrial cyber risk as a top concern. “Cybersecurity” no longer applies just to IT, and governance is adjusting accordingly.
- More projects. As technology changes and connectivity evolves, organizations must balance the security risks of new projects designed to drive cost savings and efficiencies.
- OT vs. IT. Cybersecurity continues to grow in criticality and complexity. IT and OT must understand the specific impacts to security controls, incident response, and risk evaluation within OT environments.
- Company culture. Ever heard the phrase “Culture eats strategy for breakfast”? It doesn’t matter how well-planned your roadmap is, you need a culture of safety and reliability to execute it effectively.
The fact that more organizations recognize the importance of ICS/OT security does not mean that pursuing it is without challenges. A recent survey from the Ponemon Institute surfaced a number of common issues that continue to stand in organizations’ ways. These roadblocks include:
- OT security is managed by the engineering department, which does not have security expertise
- OT security is managed by an IT department without engineering expertise
- Competition between IT and OT for budget dollars and new security projects
What does it take to overcome these challenges? A roadmap that is directional, transparent and adaptable.
Step 1: Understand your risks and impacts
A good roadmap should be deceptively simple. It is not a multi-year, fifty-step plan; it can and should be reevaluated every year or so based on changing dynamics. A roadmap should align your business objectives to cyber risks, prioritize projects and programmatic improvements, and provide insights into resourcing needs. It is broadly shared and created in context, with ties to current threat trends and incidents.
What is a roadmap NOT? A roadmap is not an auditable standard. It doesn’t replace other cyber risk governance models, it works in tandem with them. And it’s certainly not written in stone – in an industry that evolves this quickly, roadmaps must be able to adapt.
With those guardrails in mind, what does the roadmap toward a sustainable ICS/OT security program look like? It starts by understanding your risk.
- Understand your risks and impact. Ask yourself the key question, “What does a really bad day look like?” and then look left and right of that “boom.” Identify what you can do both before and after the “boom” to reduce the risk of it happening and reduce the impact if it does.
- Use historical and hypothetical scenarios to understand impact. It’s not an either/or. Incorporate data on real events into your impact evaluation as well as hypothetical, yet plausible, events that may reasonably occur. This approach lets you gain more insight into what a potential bad day could look like at your specific organization.
- Run scenario scale considerations. Think about your prevention and detection strategies for different scales of events. Assessing these possibilities, from one scenario at massive scale to multiple scenarios at small scale over time, helps you better construct a comprehensive ICS/OT security strategy.
Step 2: Determine maturity and gaps
Once you have built the foundation of your roadmap by understanding risks and impacts, you can determine your maturity and gaps. We recommend a “Crawl, Walk, Run” approach that enables companies at any level of OT security maturity to make demonstrable, ongoing progress.
Which stage best describes your business?
- Crawl: Your initial defenses may be resource-constrained (a fancy way of saying, “you’ve got one person and if they leave, you’re screwed.”) You have no documentation and no lessons learned.
- Walk: Resources are less scarce. You have moved beyond “oral history” to written documentation. Multiple stakeholders are involved and configuration management is in place.
- Run: People across teams are trained, ready, and exercised. Executives are active participants in ICS security. Capabilities are double-checked and reviewed, perhaps by an internal audit team.
There is no wrong answer. The key is to be honest about the capabilities of your people, processes, and technologies so you can determine where to invest your time, money, and resources.
Step 3: Implement and measure
Once you understand how mature your organization is across the multiple facets of an ICS/OT security program, you can prioritize where to go next. Implementation helps you close the gaps between point A to point B, while measuring the distance from point A to point B enables you to demonstrate your progress.
There are a number of ways to measure success. Options include:
- Using a risk register to communicate the cost-benefit analysis of various program components and facilitate high-level risk discussions.
- “Measure what matters” by stating your goals and benefits, identifying data sources, understanding how that data relates to your goals/benefits, and creating metrics accordingly.
- Start somewhere, even if it’s as simple as one metric that you know you can measure with confidence and consistency. Measuring the network visibility of your systems, for example, is a great place to start.
Remember that this process is about continuous improvement, not “once and done.” Don’t fall into the trap of admiring the problem more than you’re solving it. We find 3-4 metrics for each person on your team is the “sweet spot” that demonstrates continual improvement while still focusing on what matters.
Every organization starts somewhere different. With a clear understanding of your risks and impacts, maturity and gaps, you can create a roadmap that guides your team to a sustainable ICS/OT security program in one year or less.
Original content can be found at Dragos.