Sectrio

Gap Analysis Current and Target Profile in the Manufacturing Industry

what we had seen uh last year november uh some of these potential threat actors actually stayed dormant in the networks for almost six months before they could actually uh you know exploit the networks right so that actually creates a good segue for me to start off what exactly as part of the manufacturing profile that we talk about there is an important gap analysis step that is required by most of the organization to perform before they start or during their uh you know security strategy discussions and how exactly are we going to initiate some of these controls that are relevant to our organizations right so frameworks like these and especially the NIST cybersecurity framework profile that these mandates it is uh while there are several other frameworks uh this this specific one actually is used as an outcome based uh model especially focused on the business needs to achieve what will be the desired state and now uh it’s again a moving window so we see that threat landscape changes almost every single day so it definitely is something that i would like to highlight that it’s a continuous process that uh we you know work with our customers and generally what we have seen is that when it is done right it’s done in a more continuous manner and not at uh you know what we see uh in some times where uh because of the time and because of the budgets and how the security is taken as an afterthought towards the digital transformation uh we see that it it is usually once or twice a year and that is something that mindset is changing and this is becoming a line item in almost every single critical needs as part of the project as part of your back end operations our supply chain program every aspect in the in the overall product life cycle or any any kind of uh you know initiative new initiative that companies come in uh this kind of profile setting is actually becoming a standard norm uh that it mandates so what what do we see here so this is where we actually talk about what is our current profile or what does the current state look like in our infrastructure and what is the target or the desired state that we would want to achieve and what are the list of items that we would need in order to achieve that state so as we see we’ve identified again a non-exhaustive list of about four uh you know different uh topics or major points which talks about this current state so a uh yes our operational technology is complex uh we have quite a bit of legacy infrastructure so how well do we know what is exactly what is connected uh to our iot network so we always have been talking about purdue models uh with the advent of iot and indus digital industry four dot org transformation uh there is a break in that purdue model so there are uh solutions there are technology today which is getting bolted on to our legacy infrastructure in order to do predictive maintenance remote monitoring analytics and any any data that we can get out of our uh industrial control systems right so that becomes critical to understand how well do we know what is connected uh how what is our inventory look like which is connecting back to our ide networks what are the assets which are monitored by our existing uh security operations team and what controls do we have so that’s the limitations of otn ics security controls that we see today so now the frameworks that we see they’re not they’re not prescriptive so they’re not prescribed to follow any specific template uh to stay compliant right but they help you being compliant against several others that we have talked in the past uh talk uh mentioning about your uh nerdsip talking about your iec 62443 inisa so there is several different compliance metrics and standards that are coming there and how well do we identify what is required for us to map it with those compliances uh that we are working based on the industry that we are part of uh right and and also the risks on the industrial machines itself so can we afford a downtime on a critical infrastructure so today do we have enough controls that talk about how do we uh afford that downtime uh or how do we mitigate or minimize that downtime and uh what also the uh talking about the compatibility of our current existing technology which we have in rit versus the legacy technology uh and are we using the same set of controls to actually monitor our industrial control system do we have a focused or targeted approach on what exactly do we need to make uh do we need to have in place in order to monitor uh or even even respond to certain type of threats that i’m seeing in my industrial network right so those are some of the things in the in its current state the organizations has seen but then where exactly can they go from here how this profile helps them is by building out an action plan so mainly talking about i have 108 controls that i need to match now it’s a complex exhaustive process but most of those controls are already available with our existing security planning cycle uh we have we already have implemented a certain percentage of that so what is the gap that we see today which we do not have and how do we bring those controls in into our existing uh you know into our existing security monitoring is something that we will identify now there is other caveats that come into it uh talking about the current needs so is this a plan uh let’s say 2022 or do we want to defer it to our 2023 plan because of the resources because of the funding and budgeting that we have so that’s always a question that comes in and and basically uh what we have seen is that companies are more and more focusing on including this in a much earlier plan and much faster as possible rather than deferring it to the next financial year to the next uh you know uh planning cycle that gives definitely uh you know that that builds because my technology and my infrastructure is also changing over a year’s period the next thing is also prioritizing those risks uh so i cannot address everything at the same time so what are the most important relevant tasks that we need to identify based on this baselining based on the modeling that we have done across our thread profiles so we can probably prioritize it as a based on the impact and the likelihood of the cyber threat that’s happening so once you have that matrix in place it becomes much easier to prioritize these risks and then see do we already have some existing controls in it or do i need to go talk to a OT Security vendor or do i need to go talk to an external uh you know partner who can help us solve these problems and then how do i map all these with our organizational risks that we have identified so keeping the executive teams in loop telling here are the different set of controls that we do not have today and these these are the things that we would want to include in our uh you know security profiling to ensure that we stay cyber resilient in the operational technology and also you know creating or minimizing the catastrophic impact that it can have on business so everything security related to a downtime related to unavailability are all directly impacting the businesses reputation and things like that

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top