ARC’s Industrial Cybersecurity Maturity Model Evolves

Author photo: Sid Snitkin
BySid Snitkin
ARC Report Abstract


ARC Advisory Group released its first Industrial Cybersecurity Maturity Model in 2016 to help clients manage industrial cybersecurity investments.  The model provided a framework for non-technical managers to understand the risk reduction benefits of cybersecurity technologies and the coverage of supplier products.  The underlying structure showed the need to align people, processes, and technology investments to help ensure that security benefits are achieved.     

Industrial cybersecurity has changed significantly since ARC released that first model.  High profile, sophisticated attacks have increased de-mands for better visibility of control system cyber risks.  Integration of IT and OT cybersecurity programs drive the need for increased system access by remote support teams.  Digital transformation programs re-quire new approaches to ensure secure deployment of multitudes of new, potentially insecure devices within plant boundaries.  ARC’s new industrial cybersecurity maturity model provides the additional information managers need to manage industrial cybersecurity strategies in this new reality.           

ARC Industrial/OT Version 2.0

The figure below shows ARC’s new industrial/OT cybersecurity maturity model.  It structures industrial/OT cybersecurity as a sequence of steps that organizations should take to build a cybersecurity program that meets their risk management goals.  The model’s incremental nature enables managers to balance program costs with their company’s respective tolerance for risk.  

​Cybersecurity Maturity Model​ ARC%20Industrial-OT%20Cybersecurity%20Maturity%20Model%20Version%202.0.JPG

 Each step in ARC’s model addresses a specific, easily understandable, security issue, like securing individual devices, defending plants from external attacks, containing malware that finds a way into the control system, monitoring systems for signs of cyber compromise, and managing active attacks and cyber incidents.  Each step adds a layer of protection that prepares the facility for more sophisticated cyber-attacks.  Proceeding sequentially through the steps ensures that the integrity of each layer is sustained.   

Each step has an associated set of people, processes, and technologies that are required to accomplish its goals.  The associated security technologies indicate the kinds of solutions that companies should consider in building defenses that achieve the steps’ respective security goals.  Security management technologies (shown separately) are needed to select, implement and sustain the effectiveness of the spanned security technologies.  Companies should strive to have the associated people, processes, and security management technologies in place before implementing the associated security technologies.   

Color is used to distinguish reactive and proactive cybersecurity maturity levels.  The blue, reactive levels, reduce the likelihood of a system compromise by blocking unauthorized access and detectable malware.  The orange, proactive levels, add capabilities that minimize the impact of an actual compromise.  These steps address the people, processes, and technologies needed to rapidly detect and respond effectively to these events. 


ARC Advisory Group clients can view the complete report at ARC Client Portal 

If you would like to buy this report or obtain information about how to become a client, please Contact Us     

Keywords: Industrial Cybersecurity, OT Cybersecurity, Maturity Model, ARC Advisory Group.

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients