Cybersecurity Maturity Model

ARC developed its ICS Cybersecurity Model as a tool to help managers take control of their plant security efforts. It structures cybersecurity defenses into easily understandable steps and highlights the costs and resources required for each step. Managers can use the model to assess their current situation, focus staff efforts, and evaluate the full implications of additional funding requests. ARC ICS cybersecurity consultants can assist companies in all of these efforts.


The ICS Cybersecurity Management Challenge

ARC Advisory Group research shows that industrial managers appreciate the risks of cyberattacks on their facilities. Many have made significant investments based on popular standards like ANSI/ISA-62443 and NERC CIP and the recommendations of cybersecurity experts. They expected that this would solve their problems, but most are finding that this is just the start of a never-ending stream of requests for additional cybersecurity technology and resources.

Managers are rightfully frustrated with their inability to manage this critical activity. They want to take control of this situation and quit playing “whack-a-mole” with their security. They don’t want to become cybersecurity experts, but they need a way to make rational risk investment decisions that balance cybersecurity investments with their willingness to accept cyber risks and the cost-benefits of additional security layers.

ARC’s ICS cybersecurity maturity model was designed to help these managers.  It breaks cybersecurity into a logical set steps that incrementally reduce cyber risks.  Each step addresses a specific, easily understandable, security issue like securing individual devices, defending plants from external attacks, containing malware that may still get into a control system, monitoring systems for suspicious activity, and active management of sophisticated threats and cyber incidents.  Each step has an associated set of actions and technologies that can be used to accomplish its goals.  The model also shows the human resources and tools required to sustain and effectively utilize the cybersecurity technology investments.

The ICS cybersecurity maturity model is an ideal tool for companies to assess the status of their ICS cybersecurity program along three key dimensions – people, processes and technology.  ARC research based on this model can also be used to help management understand where they stand relative to peers and what they need to do to close any gaps.    

ARC ICS Cybersecurity Strategic Consulting Service

ARC Advisory Group is well-recognized as a leader in educating users about all facets of industrial control systems. Our longstanding relationships with automation suppliers and leading manufacturers in process and discrete industries has given us a unique understanding of automation systems and future developments in these areas. Our ICS Cybersecurity Consultancy Service provides a way for companies to leverage this knowledge in building effective strategies for managing and protecting their complex, critical control system investments.

ARC’s Industrial Cybersecurity Consultancy Service incorporates lessons learned through many years of strategic consulting with leading manufacturers and automation suppliers. It includes a four-stage process that incrementally identifies the best opportunities for improvement and develops a practical roadmap for achieving these goals:  


This stage includes a workshop facilitated by knowledgeable ARC analysts. The goal is to ensure that everyone with a stake in a plant’s security has a common understanding of ICS cybersecurity elements, as well as how they differ from traditional IT cybersecurity approaches.


This stage includes high-level group assessments of a company’s ICS cybersecurity requirements and identification of the goals that are most appropriate for the specific client.  ARC analysts support this effort as facilitators and extensions of the team with specific industry, cybersecurity program and technology knowledge.


Assessment involves an analysis of the client’s AS-IS situation using the ICS cybersecurity model.  The effort identifies the company’s cybersecurity maturity level along the three key dimensions of people, processes, and technology.  This provides a clear understanding of the company’s actual cyber risk situation and the program gaps that need to be closed.    It also shows what would be required to reach the company’s ideal cybersecurity status.   ARC analysts support this effort through structured interviews and site visits when appropriate to understand the actual situation. Surveys of peers may also be performed to fill knowledge gaps in specific areas.


Solution is the development of a recommended roadmap to drive transition from the AS-IS situation to the desired security goal.  As this is based on ARC’s ICS cybersecurity model, the roadmap clearly shows the benefits of every recommended step and helps managers understand and justify the need for any additional investments.   ARC analysts support this effort as facilitators and extensions of the team with specific industry and technology knowledge.

ARC Capabilities

In today's fast paced and competitive environment, you need an expert on your side, someone that will assist you with strategic decisions, guide you with industry best practices and latest technology solutions. That is the ARC Advisory Group purpose. ARC will make you more competitive through our advisory services, technology evaluation and selection services, our research reports, analyst