Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

IT and OT Cybersecurity Strategy

Read More

Categories Arrow

All Posts

IT and OT Cybersecurity Strategy

"Digital Transformation & Cybersecurity Strategy Premier,"a high-level overview on both strategic topicswill expand further on drafting and writing an IT/OT cybersecurity strategy for any #criticalinfrastructure or given industrial organization.

Cybersecurity Strategy journey begins with discovery process—identifying your business inventory this includes (but is not limited to)  an inventory of IT technology stack, OT/IOT technology stack and data inventory, across all layers of automation lifecycle plus the physical layer (sensors, actuators, machines etc.) for each site along with internal/external connections.

No alt text provided for this image
Execution Steps - Discovery / Assessment / Business Inventory
  • The discovery or assessment process is explained in OT Security Dozen Series Part# 1 – OT/ICS Cyber security Assessments in helping discover the required business inventory.
  • Next step is identifying the individual(s) and respective team that will be leading the execution of strategywhich is a must have before embarking on this journey, in order to have clear ownership and accountability. Therefore, appointing a suitable CISO/and or Cybersecurity Director or Lead (typically under the CISO or CIO organization) for Cybersecurity program is essential.
  • Once the business inventory is identified and documented and cybersecurity leader has been appointed, the next logic step is initiating drafting a cybersecurity strategy document, followed by choosing/selecting a preferred framework to be used as reference to build program elements around.

IT & OT/IOT Cybersecurity Strategy Document

The combined / integrated IT & OT/IOT cybersecurity strategy document takes input from multiple sources (e.g., comprehensive discovery and or assessment exercise) that highlights inventory, associated risks, vulnerabilities and threats and prioritized remediation action plan or roadmap.

The strategy document should be reviewed by all stakeholders that are directly responsible, sponsoring and/or supporting the execution of the strategy and approved by relevant stakeholders. The content of the document may cover and include the following (an example table of content provided below):

No alt text provided for this image
Cybersecurity Strategy Document - Example Table of Content

Keep the document concise and simple to understand, the length of the document should be in between 30-55 pages at most. Update the document whenever necessary and or at least every 2-3 years cycle.

Next Steps:

  • Document minimum technical requirements as part of the framework
  • Document required cybersecurity policies ("dos and dont's") - for building such policies, checkout Part # 2 - OT / ICS Cyber security Policy & Governance from the #OTSecurityDozen series
  • Document 4.0/IIOT ready secure reference network architecture - for building one checkout Part # 3 - OT / ICS Network Security Architecture & Segmentation from the #OTSecurityDozen series
  • Next for OT/ICS environment, establish a practice of creating Cybersecurity Requirements Specifications (CRS) for all greenfield projects and or for brownfield operations upgrades). CRS per #iec62443 standards includes the following:
No alt text provided for this image
Elements of Cybersecurity Requirements Specification (CRS)

Reference Strategy Documents

Cybersecurity and Infrastructure Security Agency (CISA) of US have few relevant documents as listed below:

Recently, US White House has prescribed a new 69-point National Cybersecurity Strategy Implementation Plan (July 2023) - a new roadmap with following five pillars:

  • Pillar One | Defending Critical Infrastructure - Update the National Cyber Incident Response Plan (1.4.1)
  • Pillar Two | Disrupting and Dismantling Threat Actors - Combat Ransomware (2.5.2 and 2.5.4)
  • Pillar Three | Shaping Market Forces and Driving Security and Resilience - Software Bill of Materials (3.3.2)
  • Pillar Four | Investing in a Resilient Future - Drive Key Cybersecurity Standards (4.1.3, 4.3.3)
  • Pillar Five | Forging International Partnerships to Pursue Shared Goals - International Cyberspace and Digital Policy Strategy (5.1.1 and 5.1.2)

In case its time for documenting your first IT & OT Cybersecurity Strategy or time for an update/re-writefeel free to reach out to me via DM or get in touch at info@securingthings.com for any business needs, project support, discussions and/or simply information-sharing.

Follow @securingthings. It’s a great day to start “Securing: Things”. 

This article was originally published on my Securing:Things newsletter on LinkedIn.
Muhammad Yousuf Faisal
Muhammad Yousuf Faisal
M. Yousuf Faisal (EMBA, GICSP, ISO 27001 LA, CISSP, CISM, CISA) has more than two decades of industry experience in technology and cybersecurity, helping organization across multiple industry sectors worldwide, secure their digital transformation journey. As founder of “Securing Things," currently offering Cybersecurity Advisory and Consulting services, training, and solutions, both IT & OT/ICS/IOT environments. He holds a B.E. Electrical and an Executive MBA degree.

    Recent Posts

    Astronaut on a rocket

    Related Posts

    ISA/IEC 62443 and Risk Assessment: New Horizons in the AI Revolution

    Risk assessment has long been an important component of any cybersecurity program and operation for organ...
    Mohannad AlRasan Apr 26, 2024 7:00:00 AM

    Should ISA/IEC 62443 Security Level 2 Be the Minimum for COTS Components?

    A recent white paper published by the ISA Security Compliance Institute (ISCI) and its ISASecure certific...
    Liz Neiman Apr 23, 2024 5:18:27 PM

    How to Secure Machine Learning Data

    Data security is paramount in machine learning, where knowledge drives innovation and decision-making. Th...
    Zac Amos Mar 12, 2024 11:10:47 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.