We find every organisation is different in terms of systems, processes and levels of awareness towards Operational Technology (OT) security. With so many unique considerations, it can become difficult to understand where you are, what the next step looks like and the pipeline ahead to ensure cyber resilient operations for 2020 and beyond. That’s why we’ve taken the opportunity to shed some light on some common questions which organisations may have and some potential guidance to help in their quest for a strengthened cyber security posture.
Cyber security has not previously been a priority, where do we start?
It is important first and foremost to have an understanding of how your organisation looks like as a whole, mapping out critical processes and assessing which risks are involved, along with their level of severity. This is why it may be a great idea to begin with an quick check-up, to help visualize the risks and show you where your organisation stands. A good next step would be to review your system architecture to pinpoint vulnerable elements to be able to form solid recommendations for improvement on the technical side.
Of course, the cyber security of your OT is not dependent on technology, but also how your organisation operates. Developing a strong set of policies of and procedures lays the foundation for how employees are required to act on a day to day basis, the process to report an incident and what actions to take in certain scenarios where time is of the essence. The people behind the technology are critical to consider, and it is important that cyber security becomes a part of your company’s culture through initiatives like awareness training, workshops and programs to spark discussions.
How do our organisation’s security measures stack up for our industry?
Every organisation holds their own complexities and it becomes difficult to begin a comparison. Although a great way to ensure your cyber security posture is up to scratch is to utilise standards suitable for your industry, such as the IEC 62443 standards which provide a practical approach for Industrial Automation and Control Systems (IACS) cyber security, or for example more specific standards such as the International Maritime Organisation (IMO) standards for the Maritime sector.
The IEC 62443 series of standards in general is a fantastic reference point - following and implementing these initiatives in any sector will very much put your organisation on the right track to becoming cyber resilient. To achieve this, it is recommended to develop a cyber security framework which is fit for your organisation and is also in alignment with the globally recognised IEC 62443 standards.
How can I effectively validate the effectiveness of current security measures?
So, you have already placed your focus on developing a cyber secure company culture and have implemented security measures to protect your critical processes. Let’s put it to the test! Depending on your organisation’s level of security maturity, this can mean a variety of programs could help you get the most out of your efforts.
As an example, initiating a purple team security assessment is a fantastic way to engage parties responsible for defensive cyber security measures and put what you have implemented to the test. This assessment has a focus mapping out attack paths from a starting point to an end objective associated with meaningful business risks.
On the other hand, having a well-developed and strong cyber security posture may mean that the most effective testing may point to orchestrating more targeted initiatives, such as conducting a penetration test or a red team security assessment on your OT systems; a more realistic simulation of a cyber-attack, helping you achieve validation of your established incident detection and response capabilities.
Where do we go from here?
Whilst every organisation will have differences in the form of their cyber security maturity, it is important that your organisation is always looking forward, driving improvements and validating the effectiveness of implemented initiatives. Cyber security is not a one-size-fits-all solution, and neither is it ever marked ‘complete'. It’s an ever-evolving process to stay ahead in an increasingly connected world.
Applied Risk is the trusted OT cyber security partner of organistions across the world, helping them to define, plan and achieve their cyber security objectives. Our deep experience in cyber security and engineering gives us the edge to be able to ensure your OT is left in trusted hands. If you require assistance with any of the mentioned initiatives in this article, or would like to understand how you can make your first moves, contact us today.