With rising cyberattacks on industrial control systems, ICS security teams are rushing to put in place an ICS security governance model that doesn’t just secure their control systems but amplifies the impact of institutional cybersecurity measures.
The foundation of a good ICS security governance model rests on 3As viz., awareness, accountability, and authority. Teams invested in ICS security should cover all three, to begin with, so that the fundamentals and the execution machinery and goals are aligned to any model that emerges later. Most organizations find their governance models pitted against bureaucratic inertia, misalignment with leadership goals, lack of accountability, evolutionary path, and specific objectives that are understood and accepted by all. Thus, by faltering in the first steps itself, the governance model doesn’t even get a chance to stand, let alone run.
Across industries such as oil and gas, manufacturing, and utilities, the teams tasked with managing ICS security often run into organizational goals that focus on improving employee productivity and output, meeting production schedules, etc. In such instances, ICS security measures added to control systems are perceived to slow down everything and thereby run counter to institutional priorities. We have all been there, haven’t we?
But with the emergence of new threat actors and independent groups targeting OT and ICS infrastructure, businesses need to take up the task of conceptualizing and deploying an ICS governance model in a hurry.
Here are a few steps for ICS security that you can take to get this going:
- Never reinvent organizational culture: instead, bring a security dimension to the culture by making employees more risk and cybersecurity aware. Your organizational culture should be agile enough to incorporate security-related concerns and measures with ease. Creating a whole new culture might take time and resources and considering the rise in cyberattacks, you may not have that kind of time to get things in place.
- Empower the CISO: the alignment in terms of budgets, ultimate authority and decision-making power should lie with the CISO. A CISO should be in a decision making rather than an influencing capacity when it comes to the overall cybersecurity posture and functions in the organization. To learn more, get the CISO handbook now.
- Go by impact view: every control system owner should be aware of the impact of a cyber incident on their respective operations. All resilience measures should also be linked to every unit and control management team in the organization. For instance, the shop floor could have its understanding of an impact of a targeted cyberattack on it but this understanding should be developed in collaboration with the ICS security teams, and if needed budgets can be assigned at this level along with the required accountability as well.
- Measure everything: never keep your objectives at a theoretical level (prevent cyberattacks, address vulnerabilities, etc.) Instead, try and formulate a KPI-based (BRAG) scorecard for each parameter and track it separately and collectively (time to detect (detection time and quality as well) and address threats, time to patch, etc.). Each control area should have these KPIs that are tracked.
- Conduct audits periodically to get data on opportunities for improvement. Consider frameworks such as NIST CSF, Zero trust, IEC 62443, etc., to improve basic governance parameters
Try our rich IoT and OT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence
Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio.
Visit our compliance center to advance your compliance measures to NIST and IEC standards: Compliance Center