Sectrio

How to evaluate OT security program maturity

By Prayukth K V
October 23, 2024
How to evaluate OT security program maturity

Summary


How do you quantify the effectiveness of your OT security program? Check out quick guide below and determine your maturity level in a matter of minutes! No matter where you stand in this journey, Sectrio can help you optimize its efficiencies and yield high ROI. Read more and calculate your score now.
OT Security program,OT Security

An OT security program can lead to better resource use, improved security operations, and tangible gains for the security posture of an OT operator.

The benefits of running an OT security program include:

  • Improved visibility into operations and asset behaviors
  • Enhanced ability to improve security posture through a feedback loop
  • Addition of newer security measures becomes easier
  • Defense-in-depth with zones for deploying a layered security approach becomes easier
  • Enables faster adoption of standards such as IEC 62443, NIST CSF, NERC CIP, NIST 800 SP, NIS2 and more
  • Allows CISOs to scale up security measures when required
  • Improves incident response and cyber resilience
  • Enables better reporting and compliance with regulatory norms

At a fundamental level, an OT security program provides a strong foundation for an enterprise to adopt and scale up security measures.

What is OT security program maturity?

Based on various factors, an OT security program can be graded into the following tiers:

Parameter  Mature OT Security ProgramEvolutionary/Evolving OT Security ProgramEarly stage OT Security ProgramScore
Clear delineation of roles and responsibilitiesAll personnel across functions are clear about their roles and responsibilities. All employees are in alignment with the assigned roles for managing security collectively. Every team has a employee responsible for security.This delineation is clear within the security operations teams. The larger organization does not subscribe to the program or subscribes in parts driven by a compliance mandate or any other factor that originates from outside the organization.Security teams are solely responsible for security. In the event of an incident, the security team is held responsible. 
Security measures are driven by a well-drafted security policy and a governance framework that is binding for all employeesYes. All teams and employees are governed through and are required to adhere to a security policy that may derive elements from standards such as IEC 62443 yet projects a distinct security mandate while incorporating cultural elements from the organization and its operational imperatives.  The policy clearly articulates the security requirements at all operational and asset levels.The policy is generic in nature without paying any attention to the unique institutional character of the organization. Compliance to the policy is also partial and episodic.There is no policy in place 
Management and senior leadership are engaged in the security program and are active contributors Fully engaged and security-sensitive managementManagement is partially engaged and does not track the programManagement is not connected with the program in any way 
Evolved incident response and disaster recovery mechanismsFollowed in letter and spirit with clear protocolsA mix of proactive and reactive measures are in place. Assets and data are at risk due to a potential for delay in intervention after an incidentNo measures in place 
Risk assessment and gap analysis audit frequencyOnce every 180 daysOnce every 365 daysInfrequent or performed in an adhoc manner 
Institutional action on OT security audit findingsKey audit findings are addressed within a pre-agreed time frame. OT security policy is modified to reflect major suggestionsAudit findings are addressed but not in a time bound mannerIf an audit is done, then the findings are ignored or filed without any action being taken 
Program coverage100 percent across assets, infrastructure, services, process, sites and networksPartialLess or none 
Security Operations coverage – asset visibility, vulnerability and patch management, secure remote access, SOC, hard segmentation of OT and IT networksComplete/100 percentPartialLess or none 
Improvement in key security operations metrics such as MTTD, MTTR, number of events closed, percentage of false positives  over the last 11 months30 percent15 but less than 30< 10 percent improvement 
Has the program been evaluated by a qualified third party?YesNoNo 
How frequently OT security awareness programs run?Once a quarterOnce every 9 monthsOnly in October 
Are crown jewels and legacy systems residing behind a DMZ?YesYesNo 
Strong anomaly and breach detection capabilitiesYesApproaching strong but not yet thereWeak or non-existent 
Countermeasures in place around access controls and insider activityYesPartial measures in placeNo 
Cybersecurity risk in ICS environment is managed through strategic security planning and controlsYesPartial measures in placeNo 
OT security assurance is arrived through risk minimization and management of risk exposureYesPartial measures in placeNo 
Lifecycle measures in place for each aspect mentioned aboveYesPartial measures in placeNo 
ICS controls derived from last OT security audit cycle implementedYesPartiallyNo 
Secure design architecture and engineering compliance in placeYesInitial/rudimentaryNo 
Microsegmentation implementedYesNoNo 

Calculating the score of your OT Security program

To derive your OT security program effectiveness score, assign 40 points for each mature program parameter met, 20 for each evolving program parameter met and 5 or 0 (for each No) for every early stage program parameter met.

For example for the parameter “Microsegmentation Implemented”, the following score will apply:

Yes: 40 points   
No: 0
No: 0

For the “Secure design architecture and engineering compliance in place” parameter you can follow the below points scheme:

Yes: 40 points
Initial/rudimentary: 20 points
No: 0 points

If your total score is above 650 points, then you are running a mature OT security program. Congratulations.

If your total score is above 350 but less than 650, then you are running an evolving security program. Let’s ramp up.

If your total score is below 350 points, then you have a lot of catching up to do.

No matter where your OT security program is on the above scale, Sectrio can help you run a model and relevant security program that is also high on RoI.

Talk to our OT security program expert now through a free consultation to figure out your next steps.

Reach out to us now.

Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!

62443, NIST CSF, and NIST SP 800, talk to a Sectrio OT governance expert. Book a consultation with our ICS security experts now. Contact Us

Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

How to evaluate OT security program maturity

Read More

Protecting your critical assets is only a few steps away

Scroll to Top