Asset owners in virtually all sectors must determine the best approach to addressing the cybersecurity risks associated with their operations. While many larger companies already have a robust program, others are still struggling to determine how to proceed.
One of the fundamental questions is where to look for guidance and direction. Some sources are specific to one or more sectors, while others focus on the characteristics of systems that are common to all sectors. This Insight examines this question from two perspectives. The first of these is the application of common technology in IT and OT. The second has to do with differences from sector to sector.
The World Today
Operations systems are often very complex in both composition and operation. Moreover, their failure or inability to operate as designed could have serious consequences. While some of these may be related to the loss or misuse of information the most serious ones exist because they are used to collect information and automate systems where failure could have various physical consequences.
From Then to Now
Many of these systems were installed years or decades ago and have undergone incremental changes to incorporate improved technology, address new opportunities, and remove obsolete or unsupportable elements. These changes affect both hardware and software components.
When cybersecurity first emerged as an imperative for operations systems there was a dearth of useful information available to asset owners. Since then, this has changed to the point where there is a vast amount of information available. The challenge has shifted from finding relevant guidance to finding and vetting the many sources available.
A Risk-based Approach
Regardless of their source and scope, virtually all available sources of guidance agree that the most effective cybersecurity programs must be based on a thorough risk assessment. There is a need for clear direction as to how to approach the task of establishing a cybersecurity response based on practical experience and case studies.
The asset owner faces significant challenges in assembling an effective and sustainable cybersecurity response. Several of these are described in the following paragraphs.
Describing the Response
To obtain the necessary support for the cybersecurity response it is necessary to describe what is intended. There are common difficulties encountered at this stage.
- Project or program – One common mistake is to refer to cybersecurity initiatives as projects, implying that the efforts will have a defined beginning and end. Although some have chosen to use the term “program,” this also implies that there may be a logical end to the efforts.
- Terminology – People are also often confused by the use of imprecise, arcane, or inaccurate terminology. This is particularly true when terms are used that may be common or even unique to a specific discipline or industry. While the information security discipline is sufficiently mature to have a commonly accepted set of terms and concepts, those working in Operations security must deal with a variety of what may be unfamiliar terms for the equipment and systems being protected.
- Messaging – Finally, there are often very mixed messages from the available sources. In part, this is because the nature of the response must reflect the driving forces behind its creation. Regulated industries may view the primary driver as compliance while others may be more focused on avoiding adverse incidents through risk reduction.
It is often difficult to combine the skills required for program or organizational design with those associated with the details of cybersecurity. Effective responses require both of these, as well as an ability to regularly assess progress and make adjustments to objectives and priorities. Information such as this would typically be found in the form of case studies, but companies are often reluctant to share the details of their efforts with others.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Case Studies, Guidelines, IT, OT, Profiles, Risk, Requirements, Standards, ARC Advisory Group.