- Securing Things Newsletter
- Posts
- Boost Your Defense Game!
Boost Your Defense Game!
IT & OT/ICS Cybersecurity Training [Securing Things by M. Yousuf Faisal]
M. Yousuf Faisal
October 27, 2024
Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi there, Securing Things Community,
📢 IT & OT/ICS Cybersecurity Training: Boost Your Defense Game! 🛡️
"In the high-stakes world of Industry 4.0, being unprepared is the biggest risk."In today’s fast-evolving technology dependent industrial landscape, business demands efficiency, productivity and real-time insights, driving digital transformation initiatives towards an industry 4.0 operations. Therefore, staying secure isn’t just about locking down the IT/office networks, it’s about fortifying the entire industrial automation stack (from PLC/edge devices to Cloud). IT and OT/ICS environments are facing unprecedented threats, and only those with targeted cybersecurity knowledge, from shop floor to the boardroom, can navigate them effectively.
In this newsletter edition, we’ll cover IT & OT/ICS cybersecurity training requirements for an industrial organisations and provide a quick update on Securing Things Academy. In addition, I’ll be sharing my most viewed social media posts, ways in which I can help, and my asks.
Special Message:
Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!
Together with:
Learn AI in 5 Minutes a Day
AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.
Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.
IT & OT/ICS Cybersecurity Training Needs
🚨 Why IT & OT/ICS Cybersecurity Training Is Crucial Today 🚨
With Industry 4.0 transforming how we work and connect, attackers are zeroing in on both IT and OT/ICS (Industrial Control Systems) networks. As more manufacturing processes integrate with digital systems, unique security challenges arise that don’t have one-size-fits-all solutions. The message is clear: to defend both IT and OT systems, specialized training is now non-negotiable.
🔥 IT vs. OT Security: Key Differences That Can’t Be Ignored 🔥
While IT networks forms large part of entry points of threats to the business operations, industry have seen notable large scale attacks and or incidents occurring directly within OT/ICS environments. IT systems typically prioritize data security and confidentiality, while OT systems in industrial settings prioritize availability and safety. This difference shapes the entire approach to securing these environments from people, processes and technology perspective.
Bridging IT & OT: Training for Convergence and Resilience
The interaction of IT, IIOT and OT/ICS systems in manufacturing has brought increased efficiency but also heightened cybersecurity risks. Many manufacturers face challenges in managing cybersecurity for an IT and OT networks, largely due to insufficient cross-functional training. For IT and OT/ICS teams working on digital transformation initiatives, IIOT, 4.0 projects, specialised cybersecurity training in understanding cyber risks throughout the automation stack, manufacturing lifecycle, and applicable security controls is crucial to safeguarding both systems while maintaining operational integrity.
Key Stages of Manufacturing Lifecycle and Cybersecurity
Each stage of the manufacturing lifecycle - from selling, procurement, planning, execution, production, inventorying, shipping to delivery; presents an attack vector and carries specific cybersecurity risks that specialised role based cybersecurity training programs must be addressing.
Learning from Breaches: Case Studies and Lessons
High-profile attacks have underscored vulnerabilities within manufacturing, with lessons applicable across the industry. Following are two examples:
Colonial Pipeline Incident (2021): While not a manufacturing facility, the Colonial Pipeline attack highlighted risks tied to unmonitored OT systems. The response delays significantly impacted operations, demonstrating the critical need for incident response readiness.
JBS Foods Ransomware Attack: This attack emphasized the importance of data redundancy and swift recovery processes, as JBS Foods was able to resume operations relatively quickly, minimizing financial loss.
Regulations, Standards & Best Practices - Training Requirements
Here are references to international regulations, standards, and best practices requirements that highlight the importance of role-based cybersecurity awareness and training for critical infrastructure and or industrial environments:
Regulations / Standards & Best Practices | Relevant Requirement |
|---|---|
SG-CCOP v2 (Singapore Cybersecurity Code of Practice for Critical Information Infrastructure) | Section 9.2 - Cybersecurity Training & Skills. |
AUS - Australia Cyber Security Centre (ACSC) Essential Eight - Australia's Security of Critical Infrastructure Act 2018 (amended 2021) - Critical Infrastructure Risk Management Program Rules (CIRMP Rules) | - Mitigation Strategy #7 role-specific training. - Sector-specific, role-based training and awareness programs. - Personnel Hazards. |
EU - NIS 2 Directives | Article 21 - (g) basic cyber hygiene practices and cybersecurity training. Annex 1 (Essential Sectors). |
US - Executive Order 14028 (Improving the Nation’s Cybersecurity) - CPGs (Cybersecurity Performance Goals) | - Section 3. - Basic Security Training (2 I) & OT Security Training (2 J). |
Canada - CCCS Critical Infrastructure Cybersecurity Framework: - CRTC Cybersecurity Regulations for Telecommunications | - Awareness and Training. - Role-based training across OT roles. |
China - China Cybersecurity Law (CCL) - Critical Information Infrastructure (CII) Protection Regulations (2021) - MLPS 2.0 (Multi-Level Protection Scheme) | - Article 3. supports the training of qualified cybersecurity personnel. - Article 15 - 5 - Organizing cybersecurity education and training. - Periodic training of employees with data and network security responsibilities. |
Germany - IT-Sicherheitsgesetz 2.0 (IT Security Act 2.0) - BSI-Grundschutz Compendium | - ORP.3 Awareness and Training in Information Security. Training of individual in 1.3. Scoping and Modelling. ORP.2.A15 Qualifications of Personnel [Supervisor] (B) and more. |
Saudi - NCA OT Cybersecurity Controls - NCA Essential Security Controls | 1-8 Cybersecurity Awareness and Training Program. 1-10 Cybersecurity Awareness and Training Program. |
Pakistan - Pakistan National Cyber Security Policy 2021 | - 3.9 Capacity Building & 3.10 Awareness for National culture of Cybersecurity. |
India - CERT-In Guidelines for Critical Sector Security Preparedness - NCIIPC Guidelines - Cyber Security Framework in Power Sector (2021) | - Sector-based role-specific security awareness training. - OC3: Training, Awareness and Skill up-gradation. - Article 5 - Cybersecurity Requirements & Article 8 - Cybersecurity Trainings. |
ISO/IEC 27001:2022: | 7.2 Competence. 7.3 Awareness. A 6.3 Information Security Awareness, Education, and Training. |
ISA/IEC 62443 Series (Security for Industrial Automation and Control Systems): | ISA/IEC 62443-2-1 (Policies and Procedures for IACS Security): - SPE-1: Organizational security measures - ORG 1.4: Security awareness training. - ORG 1.5: Security responsibilities training. and others e.g. ISA/IEC 62443-3-3 (System Security Requirements and Security Levels): Requirement SR 1.1. |
NIST SP 800-82 Rev. 3 (Guide to Industrial Control Systems Security) | Section 3.3.5 - Training Program for OT. Section 6.2.2 - Awareness & Training. |
ENISA Guidelines on Cybersecurity for Industrial Control Systems and IoT: | Section 7.4 (Security Awareness). Section 9.2 (Training Requirements). |
and there are many more examples. |
Updates on Securing Things Academy (STA)
I’ve been working on the very ideas, thoughts, and all over again on a hustle called “Securing Things Academy” or simply “STA” for later, to address the above highlighted needs. I am way beyond my original timelines that I have set for myself at the start of the year, primarily due to other commitments and challenges (more on that later).
Few Updates - STA Pages that are live
Below is a list of initial offerings (along with their current status, description & certification):
Only on STA | URL / Page | Status / Description | Certification |
|---|---|---|---|
Course: IT & OT CySEAT (Cyber Security Education & Awareness Training) | See the details on above link. | Status: Join Wait-list (Work In Progress) Training for empowering IT & OT / ICS practitioners involved with building, executing, managing or supporting IT & OT / ICS cybersecurity program(/s) for an industrial environment. Addresses a key pain point for Cyber leaders - where do we start with IT/OT Cybersecurity Program? | Option 1 IT & OT CySEAT training completion certificate. Option 2 Future Add-On (Cohort Style) STCCP (Securing Things Certified CySEAT Professional). |
Course: Singapore CCOP (Cybersecurity Code of Practice) Master Class for Critical Information Infrastructure Owner (CIIO) | See the details on above link. | Status: Join Wait-list (Work In Progress) Training for anyone that’s interested in getting up-to speed with SG CCOP requirements. | Singapore CCOP Master Class Training completion certificate |
Course: OT - CBPRS Course (OT Cybersecurity best practices requirements specification) | See the details on above link. | Status: Available Live On-Request. On-demand - (Work In Progress) For anyone that purchase OT CBPRS toolkit and or prior to just want to learn some OT security best practices. | OT-CBPRS training completion certificate. |
Digital Product: OT - CBPRS Toolkit (OT Cybersecurity best practices requirements specification) | See the details on above link. | Status: Available Next Update: Schedule to be updated to include ISA/IEC 62443-2-1 Security Program & or alignment with Foundational Reqs. | N/A |
Digital Product: OT/ICS Anomaly Detection (AD) Security Solutions Comparison Toolkit | OT/ICS IDS / AD Security Solution Comparison Toolkit See the details on above link. | Status: Available For any asset owners that are planning to evaluate, select and deploy an OT/ICS IDS or Anomaly Detection Solution. Saves couple of days worth of time. | N/A |
Digital Product - Bundle: OT-CBPRS Bundle 1 - OT CBPRS Toolkit* 2 - OT CBPRS toolkit related best practices training (Live only) 3 - IT & OT CySEAT Training (3 Free seats) | See the details on above link. | Status: Available with CySEAT WIP. For: Asset Owners / Manufacturers to support their OT/ICS Security program initiative. | OT CBPRS training completion certificate. - IT & OT/ICS CySEAT training completion certificate. (limited to 3 seats only). |
Checkout a short brief about IT & OT/ICS CySEAT → RFT = Ready for Transformation.
Watch the following short 3+ mins teaser for IT & OT/ICS CySEAT course below:
I am looking for your help!
I’d love to hear from each one of our subscribers and or visitors.
→ If the information provided on the STA live links (see table above), resonates with the need for the hour, in particular for manufacturers / asset owners. If not, why not and what you believe to be the most pressing cybersecurity challenge.
→ Do you have any interesting preferences and suggestions on course names, delivery style (on-demand vs. cohort style), community or no community & tool (discord/other), pricing (what you’ll be willing to pay for any specific formats) and or require any clarification on these digital products, that’ll help make an enrolment decision?
Do drop a note at “newsletter[@]securingthings[dot]com”.
For providing valuable and interesting suggestions, you may qualify for additional discounts.
Lastly, if you know someone, who would benefit from this - do forward this edition or share it on social media to help spread the message on specialised cybersecurity trainings to help protect our industry’s most essential IT & OT/ICS systems. Knowledge and preparedness are our strongest tools! Sharing is caring.
Stay safe, and stay resilient.
Cybersecurity Awareness Month:
As part of cybersecurity awareness month - here are 3 part post series I shared earlier on socials, for free cybersecurity awareness training videos on following topics:
Part 1 - Spear Phishing.
Part 2 - Password Security
Part 3 - Information Security.
My Recent Most Viewed Social Posts:
In case you’ve missed - here are some of my recent most viewed social posts.
Complexity Ain't an Excuse for OT/ICS Insecurity - Here's How to Lock It Down!
🚀 Ready to Transform Your Career? Dive into IT & OT/ICS Cybersecurity🔐- Phase A - Getting started in IT & OT/ICS Cybersecurity.
🚀 Ready to Transform Your Career? Dive into IT & OT/ICS Cybersecurity🔐- Phase B - Getting started in IT & OT/ICS Cybersecurity.
🚀 Ready to Transform Your Career? Dive into IT & OT/ICS Cybersecurity🔐- The 3 Phase, 12 steps blue print - Getting started in IT & OT/ICS Cybersecurity.
🚀 Ready to Transform Your Career? Dive into IT & OT/ICS Cybersecurity🔐- 4 personas perspective, for 3 phase blue print - Getting started in IT & OT/ICS Cybersecurity.
Getting OT/ICS visibility for industrial, data centre or smart buildings environments. Note: Do checkout the pdf guide on the process & the offer.
IT & OT Security Dozen framework for building, executing & managing a Cybersecurity & Resilience Transformation Program. Note: Do checkout the pdf guide on the process & the offer.
My Top IT, OT/ICS, & AI Cybersecurity Newsletters - You Can’t go Without! - a newsletter about my top cybersecurity newsletters. Note: Do checkout the pdf to download. Apparently this was a viral post, accumulating to more than 12K+ views (9.5K+ on this & rest on company LinkedIn page).
CIOs / CTOs / CxOs Guide to IT & OT/ICS Cyber Resilience Strategy & transformation Program - outlines an example process and approach to take.
CISO’s Guide to AI - 12 Steps, CISOs should take to address AI related cybersecurity risks.
Ways in which I can help?
Whenever you are ready - I can help you / your organization / your customers with:
A - IT & OT Cybersecurity Advisory / Consulting services - for securing your organisation’s or client’s digital transformation journey.
B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program.
C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.
D - Securing Things Newsletter - Get your brand (personal / business) in front of global audience by sponsoring this newsletter. And or simply subscribe to Get smarter at Securing Things.
Reach out at info[at]securingthings[dot]com or DM me via LinkedIn.
My Ask
I invite #SecuringThings community to share their feedback.
Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.
Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.
Also let me know:
Rate the newsletter contentDid you find the content valuable? |
Thanks for reading - until next edition!
It’s a Great Day to Start Securing Things for a Smart & Safer Society.
Take care and Best Regards,
The Newsletter Platform Built for Growth
When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.
Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.
The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.
Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.
If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.
Reply