Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

OT Security Dozen: Series on Building an OT/ICS Cybersecurity Program

Over next couple of weeks and months in 2022, I am excited to be sharing some experience and insights on the 12 foundational steps for an “Operational Technology (OT)/Industrial Control System (ICS) Cybersecurity Program” – calling it “The OT Security Dozen.

This will hopefully serve as guidance or building blocks to improve and operationalize cybersecurity practices for OT/ICS operations, especially for those industrial organizations worldwide (APAC manufacturing sector in particular) that are exploring ways to either start their journey and are not sure where to begin and/or in some cases trying to improve or mature their current initiatives. 

Phase 1 - Evaluate | Assess | Discover | Define

1.      OT/ICS Cybersecurity Assessments/Reviews   

2.      OT/ICS Cybersecurity Policy & Governance  

Phase 2 - Implement | Deploy (Protect & Detect)

3.      OT/ICS Cybersecurity Architecture & Segmentation (between IT & OT networks)

4.      OT/ICS Asset Discovery & Threat Detection (OT IDS) Tools Selection & Implementation

5.      OT/ICS Configuration Hygiene

6.      OT/ICS Secure Remote Access

7.      OT/ICS Access Control

8.      OT/ICS Endpoint Protections (AV, Host IDS/EDR, USB controls)

9.      OT/ICS Supply Chain Security (risks related to SBOM, OEMs, third-party service providers)

Phase 3 - Monitor | Respond & Measure

1.      OT/ICS Cybersecurity Monitoring (via an Integrated SOC/MSS Operations)

2.      OT/ICS Incident Response Plan

3.      OT/ICS Audit & Security Testing – Continuous Measurement

Obviously, this is not an exhaustive list of initiatives for controls around people, processes, and technology for the world of OT/ICS. However, “The OT Security Dozen” will provide you that very strong and solid foundation required for establishing and running a successful OT/ICS cybersecurity program.

Some of these 12 initiatives can be run in parallel, and some may perhaps be better run sequentially. Prioritization of these initiatives may differ from one organization to another, based on several factors and the uniqueness of an organization's environment (e.g. network architecture, culture, people, processes, budget, skillsets, etc.). Regardless of the prioritization sequence, successful execution of these initiatives will raise your maturity level against any given industry standards that’s preferred by the organization and/or compliance against any applicable standards/regulations.

In the twelve part series – the OT Dozen, I’ll deep dive into each of these initiatives along with potential mappings to ISA/IEC 62443 standards requirements, NIST-CSF domains, and CSC Top 20.

If we were to choose anything else as the 13th initiative, it would likely be "IT & OT Ransomware Protection Program (RPP)." This would be your 13th warrior against the widespread threat landscape and while such a program would need to include most of the preparation elements above, it does need more to look into (e.g., the importance of backups and recovery) which will not be covered in this series and warrants its own post altogether.

A version of this article originally appeared on LinkedIn. The author will be first featuring the series on this platform and encourages everyone to follow along in the SecuringThings newsletter.

Muhammad Yousuf Faisal
Muhammad Yousuf Faisal
M. Yousuf Faisal (EMBA, GICSP, ISO 27001 LA, CISSP, CISM, CISA) has two decades of technology & IT/OT cybersecurity-related industry experience, helping organizations worldwide (specially across APAC) securing their digital transformation journey with secure-by-design principles. He has served both as an end user and mostly as an independent consultant/advisor across multiple industrial sectors and enterprise organizations. Currently, he is doing business development, presales/solution and consulting delivery for emerging technologies in IT & OT, GRC/PCI, and other cybersecurity services across APAC region. He holds a B.E. Electrical and an Executive MBA degree.

Related Posts

Experience Centers Teach Cybersecurity Best Practices

The adoption of Industry 4.0 technologies is increasing efficiency and profitability across industrial co...
Luis Narvaez May 24, 2022 5:30:00 AM

Why Network Discovery is Critical in the ICS/IACS Environment

Securing operational technology (OT) networks requires a great deal of thought when designing and impleme...
Achal Lekhi May 17, 2022 5:30:00 AM

Securing Industry 4.0

As we head into the Industry 4.0 era—where connected Internet of Things (IoT) devices and automation will...
David Nosibor May 10, 2022 5:30:00 AM