by Curtis Blount, CSO
Last week, I wrote about my personal journey leading up to InsightCyber. This week, I would like to focus on Risk Management and how we can help you incorporate risks into your daily ICS/OT operations. It’s IoT from the CISO’s perspective.
A lot of organizations in the ICS/OT cybersecurity market are applying IT-centric methodologies to ICS/OT. The solutions are high-priced and complex, but a lot of CISOs are hearing the pitch that it will solve all their IoT security problems.
But that’s like going from point A directly to point Z without following steps B through Y. The phrase “Information Security” first started around the time of Sarbanes and Oxley (in the early 2000’s). Since then, IT and now cybersecurity have matured. However, this was a journey that needed to be taken.
It’s the same with ICS/OT cybersecurity. There is journey that needs to be taken to achieve an acceptable and balanced level of risk. You won’t get there by skipping the fundamental aspects of security and risk management. While there are some aspects of IT-centric security controls that apply, OT operational controls must be considered as well.
Cybersecurity is a Journey
My InsightCyber colleagues and I have had long careers in cyber. We understand the technology, the trends, and how the “me-too’s” can hijack the market. In creating InsightCyber from the ground up, we looked at ICS/OT cybersecurity from a different perspective.
We ask the question, “how mature is your ICS/OT cybersecurity and risk program”? We ask this fully understanding that many CISO’s don’t know anything about their OT environment.
Cybersecurity in general is not a destination, but a journey. As a services company that is dedicated to ICS/OT, we have designed our services to help you though the process of the journey. At the end, the outcome is that you have a mature ICS/OT cyber security and risk program.
Notice the maturity statement asks about “ICS/OT cybersecurity and risk.” That’s because those are the two fundamental aspects of the journey:
From a cyber perspective, it’s putting the necessary controls in place to identify and protect critical OT operations/systems/assets.
From a risk perspective, it’s putting the necessary processes in place to detect, respond and recover from operational anomalies which could lead to a potential cyber threat.
Of course, part of that journey is implementing a cyber framework that provides the baseline for cybersecurity practices. Toward that end, we have developed a maturity model that provides a benchmark against which any ICS/OT organization can evaluate the current capabilities of its controls and processes.
The First Two Steps of the Journey
CISOs are often asked by their boards how their organization measures up against their peers. Using the InsightCyber maturity model creates an accurate benchmark for ICS/OT cybersecurity practices. We have developed a journey with 5 steps delivered as managed services.
Let’s look at the first two steps, which mark the beginning of the maturity curve (where most organizations fall):
OT-IT Baseline. How do you know where you’re going if you don’t know where you came from? The first step in the journey is to establish a baseline of the OT-IT boundary where potential cyber threats can exist.The InsightCyber Rapid Assess service is the onset of the maturity curve. It is designed to help the CISO (and CIO) understand the connectivity between the OT-IT boundary. The result is a highly technical report that outlines network connectivity, Internet connectivity (if your OT systems have direct access to the Internet), ports opened, services being used and, most importantly, who is sending commands to your OT environment. The CISO/CIO can use this information to build a larger scope for ICS/OT cyber and risk management practices.
Cyber & Risk Assessment. Now that the CISO/CIO has a better understanding of the potential cyber risks within the ICS/OT environment, they can take that information back to their board and request a more in-depth risk assessment and request budget for this project.The InsightCyber Security & Risk Assess service is a comprehensive review of the entire ICS/OT environment. This service will help define not only the potential gaps in the environment but a baseline starting point to build the ICS/OT cyber and risk management program. Our service is a hybrid that blends the NIST-CSF, the cybersecurity capability maturity model, and our own OT operational risk methodology.
The service includes a complete analysis of network connectivity, a review of OT controls and operations, a walk-through of OT facilities, and a review of safety systems. The results of the assessment are technical documents that outline potential gaps, red flags, and a maturity baseline, along with recommendations for remediation.
At this point, you are probably saying to yourself, risk assessments are not cheap. You are correct in that point. However, there is a demonstrable ROI value. Keep in mind that unlike IT (unless you are in e-commerce), OT has a direct impact to revenue. As such, the assessment can show the board potential risks and threats to revenue.