It is generally accepted that the protection of industrial control systems (ICS) from various types of malicious software and deliberate attack should be a priority for all asset owners. Standards bodies, suppliers, and asset owners have responded to this imperative across a variety of industries, providing several types of guidance and direction, including frameworks, standards, and practices. Each of these responses is important and even necessary, but anecdotal evidence indicates that even applied collectively they are not sufficient. They must be supplemented by practical examples that are based on real experience.
Most would probably agree that there are real benefits from learning from the experience of others, especially if there are opportunities to observe what measures have or have not worked in similar situations. Avoiding false steps is very important given the limited resources typically available to contribute to a security program. This is the basis of benchmarking exercises in so many other areas. Unfortunately, there is often a reluctance to share information about certain elements of cybersecurity risk. While threats and vulnerabilities are shared by suppliers and researchers, asset owners may be unwilling or unable to share details of their response, fearing that this information will fall into the hands of attackers. While the need for case studies as a source of practical guidance is more important than ever, their number remains limited.
The State of Useful Guidance
The need for practical guidance and direction on what is required to improve the cybersecurity of industrial systems has been well-established for years. As the level of understanding and appreciation of the nature of the problem has evolved, the amount, nature, and quality of available guidance have also increased. Unfortunately, this has also led to an increase in the number of potential sources for such information. The irony is that this may in turn create uncertainty as to which source is best, and where to go for the most applicable and practical guidance.
The level of awareness of the nature of the challenge has increased as additional sectors have recognized the nature and severity of their potential risks. This is a testament to the efforts of many individuals and organizations to translate what are often seen as vague and non-specific security risks into terms that address the potential implications of breach or compromise. Increased reporting and awareness of actual incidents have contributed to this increased awareness.
Publication of potential threats and incidents has also increased awareness among asset owners and other stakeholders. Although these may sometimes be discounted or even denied based on the perception of low probability of occurrence, they do add to the justification for an improved cybersecurity response. Vulnerabilities are harder to discount than what may be seen as vague or non-specific threats. Their existence is a function of the specific technologies employed in a particular situation.
From Awareness to Understanding
Ideally, increased awareness leads to a better understanding of the nature of the risk. Unfortunately, this is not always the case as it requires a detailed understanding of all elements of risk, including potential consequences. A full appreciation of consequence is only possible with a detailed understanding of the system under consideration. Potential consequences may be the same for cybersecurity risk as for more traditional risks, such as those related to process safety. It is important to acknowledge potential risks – with or without mitigating measures – and that certain risks may simply be accepted, regardless of whether any mitigations are applied.
There are a variety of useful resources available to those responsible for defining and implementing a cybersecurity program. Standards are available from several sources. In some cases, they have been developed by industry-specific organizations and tailored to the industry or sector in question. One such example is the NERC CIP standards for the energy sector. More broadly focused standards, such as ISA/IEC 62443 and those in the ISO-27000 series, can be applied to a range of sectors through the use of profiles or recommended practices.
Although often confused with standards, frameworks are quite different. Rather than specifying the detailed requirements for effective cybersecurity, frameworks describe an approach to defining the cybersecurity response, referencing one or more standards as the source of the more detailed requirements. Perhaps the best-known source of this type is the NIST cybersecurity framework (NIST CSF).
While practices can come in several forms, their purpose is to provide practical guidance based on experience. While perhaps the most useful, they are often the most difficult to find. Use cases may be developed to describe how specific actions are to be performed, case studies describe a specific application or solution, along with a summary of lessons learned.
What Holds Us Back?
While there is a considerable amount of information available on effective industrial cybersecurity practices, implementation in the form of comprehensive programs is still not where it should be. Without a doubt, there are as many detailed reasons for this as there are individual situations, but the barriers and mitigating factors fall into several broad categories.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Benchmarking, Case Study, Cybersecurity Program, Industrial Cybersecurity, IT/OT, Use Case, ARC Advisory Group.