The connectivity of systems and products has created a complex and interdependent ecosystem of stakeholders, including product suppliers, asset operators, asset owners and system integrators. The ISA Global Cybersecurity Alliance (ISAGCA) held a webinar on 12 December 2024 exploring the progression from "secure by design" to the concept of "secure by operations" — crucial for enhancing cybersecurity resilience in critical infrastructure. The panelists also discussed how the "secure by operations" concept aligns with the ISA/IEC 62443 series of standards, the world's leading consensus-based automation and control systems cybersecurity standards.

Product manufacturers, a government authority, an end user, a system integrator and a service provider shared their insights on the topic to offer the audience a well-rounded perspective. The speakers included:

• James Goosby from Southern Company, Director Business Technology Planning and Executive in Residence (EIR) at McCrary Institute
• Stephanie Johnson from U.S. Department of Energy's Office of CESER, Supply Chain Program Lead
• Chris Sistrunk from Google (Mandiant), ICS/OT Leader
• Tim Gale from 1898 & Co., Director Industrial Security
• Megan Samford from Schneider Electric, VP, Chief Security Officer, National Security Agreements
  
• Dee Kimata from Schneider Electric, Director Cybersecurity Thought Leadership (session moderator)

Secure by Operations

The speakers discussed the concept of "secure by operations" as outlined in the diagram below.

While the familiar concept of "secure by design" focuses on technology, "secure by operations" builds from that, focusing on the environment. Asset owners and operators maintain and implement security controls in a multi-technology operational landscape after deployment and patching. The term "secure by operations" may be new, but it is rooted in existing international standards, regulations, frameworks and best practices (i.e., the ISA/IEC 62443 series of standards).

Clarified roles and responsibilities are key to success when securing operations. The scale of these challenges is significant, so government regulators may also play a role in ensuring proper practices are in place within their jurisdiction.

Panel Discussion

The panelists also shared their insights on current drivers of the effort to secure operations, such as regulation and heightening threats. They discussed collaboration within the supply chain to build resilience into critical infrastructure, and shared their perspectives coming from a government authority, an asset owner, a product manufacturer, a service provider and a system integrator. Finally, they explored how ISA/IEC 62443 can be leveraged to drive secure by operations, as well as the value of a global standard like this. They shared how they rationalize ISA/IEC 62443 amongst the broad landscape of cybersecurity regulations, policies and standards.

A few speakers summarized their main takeaways from the panel.

James Goosby's Key Points

• Spend some time understanding the operational environment you’re working in and understand actions that could lead to potential adverse impacts starting with safety and reliability.
• Establish a practical baseline cyber/physical governance model that can be expanded over time as stakeholder awareness and adoption increases.
• Leverage the resources that are available to you — ISA is a great place to start!

Stephanie Johnson's Key Points

• Government agencies are working with asset owners and suppliers to strengthen our critical infrastructure through many programs, including:
  • Department of Energy Supply Chain Cybersecurity Principles for Asset Owners and Suppliers
  • Cyber-Informed Engineering
  • Cybersecurity and Infrastructure Security Agency (CISA) Secure by Demand
  • NIST Risk Management Framework

Megan Samford's Key Points

• Customers can “order” cybersecurity in their products through ISA/ IEC62443 4-1 (secure development), ISA/ IEC 62443 4-2 (product, includes security features), ISA/IEC 62443 3-3 (system, includes security features). Customers should request a minimum of Security Level 2 for comprehensive security features that are aligned with global regulation expectations over the next few years. 
• Procurement can play one of the most vital roles in ensuring secure by design/demand on the front end of the lifecycle management.  If cyber is not specified into projects and product purchases, there’s a good chance that lower cost options lacking cybersecurity may be selected. 
• ISA/IEC 62443 is unique in that it can successfully map to almost all global government policies and regulations, including the EU CRA, NIST Risk Management Framework, Department of Energy Cybersecurity Supply Chain Principles for Asset Owners and Suppliers, Cyber-Informed Engineering and CISA Secure by Demand for OT.

Tim Gale's Key Points

• It’s important to have a robust OT cybersecurity program (ISA/IEC 62443-2-1) which defines the corporate requirements. This program should drive all OT cybersecurity activities.
• Part of the OT cybersecurity program should cover new equipment procurement, clear and concise requirements and clear pass/fail criteria for each requirement. Guidance on requirements can be found in ISA/IEC 62443-3-3, 4-1 and 4-2.
• We need to raise the awareness of all stakeholders. For example, the end user must begin by establishing their requirements prior to purchase of ICS (industrial control systems) equipment. The system integrators must be aware of — and in tune with — the requirements such that they can be proven at factory acceptance test/site acceptance test (FAT/SAT).  Site operations must be aware of their role in identifying and escalating unusual behavior in an ICS.

Chris Sistrunk's Key Points

• When it comes to OT environments, cyber and physical security needs to be a culture (similar to safety culture), and secure by operations should be part of that culture. ISA/IEC 62443 should be a foundational reference for that culture.
• Continuing on the safety culture/security culture theme, "safety rules are written in blood" — don't wait for a painful incident to happen before you react to improve your security and operations. You should be proactive and start with the people, technologies and tools that you already have.
• When it comes to operations, resilience is so important. Have an OT incident response (IR) plan in place, practice that plan once a year and leverage ICS4ICS to manage the cyber incident.

More Resources

Further guidance and training on OT cybersecurity are available from the following entities:

• ISAGCA, a collaborative forum to advance OT cybersecurity and understanding of the ISA/IEC 62443 series of standards
• ISASecure, the world's leading conformance certification program for ISA/IEC 62443
• ICS4ICS, a program to improve how cybersecurity incidents are managed with training, processes and exercises