Securing our critical infrastructure is more consequential than ever, especially when it comes to cybersecurity. Wherever your organization is on it’s journey to improve its cybersecurity posture, it’s important to do a temperature check to gauge whether you are truly on the right track.
In the quickly evolving world of OT/ICS cybersecurity, staying up to date on what others in the industry are doing can help us understand where our own programs can improve, or where we are ahead. This year, SecurityGate.io Co-Founder & Chief Product Officer Cherise Esparza was honored to share her perspective of the changing industry in Miami, Florida on the main stage of S4x22, the largest conference for OT (Operational Technology) and ICS (Industrial Control Systems) security.
In her presentation “Essential Principles: The Key to Organizational Maturity” Esparza outlines the stages that critical infrastructure companies move through as they mature their cybersecurity programs. She explains best practices for each stage so that organizations know what to do to efficiently evolve their cyber programs.
Based on what she has seen from working directly with hundreds of critical infrastructure clients while at SecurityGate.io, companies typically follow a pattern of activities that places them in one of four categories – Prepare, Baseline, Accelerate, and Incorporate. These categories are used to define the overall maturity of a company’s cybersecurity program and can serve as a roadmap for moving forward.
Companies that are beginning to initiate a formalized cybersecurity strategy are in the Prepare phase. The cybersecurity team may be evaluating risk management frameworks, such as NIST or IEC 62443 which are well known and relied upon. They may also be establishing a budget and working out who should be involved in the decision-making process.
Cherise recommends that companies in this stage perform a business impact analysis (BIA). This is a relatively quick and straightforward way to illustrate the consequences of a cyber attack to leaders and executives. A BIA will also help bridge the gap between technical and non-technical stakeholders and identify what aspects of the business are the most critical to protect.
In order to measure progress, an organization must understand where they are starting from by establishing some baseline metrics. A company in the Baseline phase is doing just that. They have started or even completed their first rounds of gap assessments. These gap assessments diagnose the degree to which an organization is in compliance with the framework chosen in the Prepare phase.
Though these gap assessments are typically time-intensive and require the involvement of many teams, the outcome of these assessments should bring value by aligning disparate teams and enabling leaders to prioritize budgets based on missing controls and the criticality of the facilities assessed.
After a few cycles of running gap assessments, these organizations have established a reliable, and repeatable OT/ICS risk management program. Cherise notes that organizations will fundamentally change their attitudes about assessments.
At this point, they will scale their process across facilities and even begin evaluating 3rd party suppliers and their supply chain. Unlike the Baseline phase, the goal in the Accelerate phase doesn’t limit the focus on completing assessments. Instead, the focus now is to make incremental progress by remediating any gaps discovered.
As they scale their strategy, there will arise the need to reduce disruption to operations. Companies, like Chevron, successfully accomplished this by introducing automation to remove manual processes from their OT/ICS risk management program. This is the point where organizations will begin to benefit from automating activities, such as implementing a ticketing solution or digitizing the assessment process.
This emerging category is populated by only a few organizations. They have figured out how to efficiently collect, organize, and translate vast amounts of data into meaningful insights.
Rather than assessing against a broad, templated framework like NIST, these organizations use their own custom frameworks and/or run gap assessments on the component level.
In cyber security, the risk is usually described in terms of the component parts of a system. A component assessment helps organizations focus efforts by evaluating the individual parts of a system, such as the hardware or software. By combining the value of a given component and the likelihood that it will be compromised, organizations can zero in on the remediations they need to make, saving budget, time., and other resources.
Progress Your OT/ICS Cybersecurity Strategy
In general, maintaining good lines of communication is the key to improving your cybersecurity strategy. Internally, you must be able to communicate value to stakeholders for additional support, and externally, sharing lessons with colleagues in the industry or following thought leaders can help inform where you take your strategy next.
Wherever your program falls on the maturity scale, SecurityGate.io can help you forward by simplifying the risk assessment process with automation. SecurityGate.io was built by a team of professionals with decades of experience in critical infrastructure industries. We understand that there are challenges specific to industrial organizations running operational technology (OT). That’s why we built a platform that is not only easy to use but also improves communication between traditionally siloed teams. Contact us today to see if SecurityGate.io can accelerate your OT/ICS cybersecurity program.