Over next couple of weeks and months in 2022, I am excited to be sharing some experience and insights on the 12 foundational steps for an “Operational Technology (OT)/Industrial Control System (ICS) Cybersecurity Program” – calling it “The OT Security Dozen.”
This will hopefully serve as guidance or building blocks to improve and operationalize cybersecurity practices for OT/ICS operations, especially for those industrial organizations worldwide (APAC manufacturing sector in particular) that are exploring ways to either start their journey and are not sure where to begin and/or in some cases trying to improve or mature their current initiatives.
Phase 1 - Evaluate | Assess | Discover | Define
1. OT/ICS Cybersecurity Assessments/Reviews
2. OT/ICS Cybersecurity Policy & Governance
Phase 2 - Implement | Deploy (Protect & Detect)
3. OT/ICS Cybersecurity Architecture & Segmentation (between IT & OT networks)
4. OT/ICS Asset Discovery & Threat Detection (OT IDS) Tools Selection & Implementation
5. OT/ICS Configuration Hygiene
6. OT/ICS Secure Remote Access
7. OT/ICS Access Control
8. OT/ICS Endpoint Protections (AV, Host IDS/EDR, USB controls)
9. OT/ICS Supply Chain Security (risks related to SBOM, OEMs, third-party service providers)
Phase 3 - Monitor | Respond & Measure
1. OT/ICS Cybersecurity Monitoring (via an Integrated SOC/MSS Operations)
2. OT/ICS Incident Response Plan
3. OT/ICS Audit & Security Testing – Continuous Measurement
Obviously, this is not an exhaustive list of initiatives for controls around people, processes, and technology for the world of OT/ICS. However, “The OT Security Dozen” will provide you that very strong and solid foundation required for establishing and running a successful OT/ICS cybersecurity program.
Some of these 12 initiatives can be run in parallel, and some may perhaps be better run sequentially. Prioritization of these initiatives may differ from one organization to another, based on several factors and the uniqueness of an organization's environment (e.g. network architecture, culture, people, processes, budget, skillsets, etc.). Regardless of the prioritization sequence, successful execution of these initiatives will raise your maturity level against any given industry standards that’s preferred by the organization and/or compliance against any applicable standards/regulations.
In the twelve part series – the OT Dozen, I’ll deep dive into each of these initiatives along with potential mappings to ISA/IEC 62443 standards requirements, NIST-CSF domains, and CSC Top 20.
If we were to choose anything else as the 13th initiative, it would likely be "IT & OT Ransomware Protection Program (RPP)." This would be your 13th warrior against the widespread threat landscape and while such a program would need to include most of the preparation elements above, it does need more to look into (e.g., the importance of backups and recovery) which will not be covered in this series and warrants its own post altogether.