Before we begin, take a moment to absorb these key questions organizations often struggle to answer when beginning the OT security journey. You may also, don’t fret, Rajesh is here to help.
Assessments can be a good place to start with which can answer the above questions and build a solid foundation for the next steps in your OT security journey. However, assessments can mean different things to different people depending upon their role and function within your organization. Let’s look into a few different types of industry roles and what each might be interested to glean from an assessment.
To begin with, a CxO might be looking for a quantifiable number to come out of an assessment, enabling them to make informed investment decisions, lower organizational risks, or even decide upon an acceptable level of residual risk. A comprehensive risk assessment, for them might include potential production losses, environmental losses, loss of life and also damage to brand value. This type of risk assessment would take into account the various threat actors (e.g, insider attack, script kiddies, hacktivist or deep state actors trying to cripple the Critical infrastructure).
Other roles who gain value from a risk assessment are Plant Managers, Operational Manager, or event Automation Managers. These roles typically use an assessment to find out whether OT systems running their plant/operations have sufficient control measures acting as a sufficient deterrent to potential attackers. Assessments can also be useful to them as a way of early detection and quick recovery of plant operations. Additionally, they will want to balance the Cyber Security Controls required to achieve a specific security level with the need to safely operate and maintain the plant. The Control Assessment should cover, among other things, cataloging the OT asset inventory, reviewing the as-is system architecture; identifying the gaps in the OT infrastructure vis-a-vis the international standards and best practices in the industry. It should propose a revised segmented System Architecture, and suggest solutions that can plug the gaps identified.
Internal auditors are generally more concerned about ensuring that all the checkboxes have been ticked. While they are also concerned to see whether the deployed solutions are managed to an optimal level, they are also worried about the ability to continuously monitor the cyber health of the deployed systems. They are looking for an assurance that most if not all the security solutions deployed have the capability of reporting incidents to a centrally managed solution where all the events, incidents and anomalies can be analyzed and monitored.
So, while the word "assessment" is commonly used by many different roles and departments, it carries different meaning and expectations depending on the need of who is using the term. Generally, however, the most used assessments tend to fall under these categories:
The output of a Risk Assessment should provide a very clear picture of the financial, environmental and brand value risks that an organization carries as of today. It shall also identify the threat actors that might be interested in gaining access to the organization’s OT infrastructure. Knowing this information can help an organization set their Security Level-Targets (SL-T) (as defined in IEC 62443-2 standard). These SL-T’s can then be used in the Control/Gap Assessment phase to identify and deploy defensive in-depth cyber solutions.
A Control Assessment should provide visibility into the up-to-date asset inventory, including the security capability of each asset and suggest mitigation measures to reach the previously mentioned Security Level-Targets which would have been identified in the Risk Assessment phase. The IEC 62443-3-3 is a good standard to follow to segregate the OT network, develop the organization’s Zones & Conduits model, and then deploy the various cyber solutions as required by the Zone’s security targets.
OT/ICS Security is a continuous process and requires Process, People and Technology to work seamlessly. The OT Security Function Maturity assessment should provide visibility on whether your organization has sufficient processes in place to manage any deployed cyber solutions, but also show whether or not those processes are followed. This assessment can help the organization determine if it has the necessary resources both in terms of human capital and financial capital in order to keep their systems up to date.
Needless to say, all the above assessments require the help of a risk professional. Some organizations have these professionals within their organization, many do not. It is important to perform such assessments regularly by professionals with the knowledge and proven experience of working on OT systems and the familiarity of industry standards such as IEC 62443 to provide strong guidance and framework of execution.
If you are concerned about where and how to move forward with your OT journey, why not talk to Rajesh or any of our subject matter experts? Take control of your journey and it only takes one form.