Table of Contents

• 1. Getting started in IT & OT Cybersecurity

• 2. My Recent Most Viewed Posts:

  • IT & OT Cybersecurity Strategy

  • IT & OT Cybersecurity Dozen Framework

  • OT Visibility - Assets, Traffic flow, Vulnerabilit …

  • OT Cybersecurity Management System (OT CSMS)

• 3. My Ask

Hi Securing Things Community,

In this newsletter edition, per the poll results from last edition - Cybersecurity (IT, OT, AI / LLMS, Open source) Insights from Q1 2024, we’ll be covering a short blueprint primer on “Getting started in IT & OT Cybersecurity”. Plus, some of my recent most viewed social media posts in April 2024 and my asks.

1. Getting started in IT & OT Cybersecurity

3 phase & 12 steps blueprint for “Getting started in IT & OT Cybersecurity”:

Phase A - Initiate, Validate, Prepare & Plan

👉 Step 1 – Get to know the Industry, stakeholders, critical infrastructure sectors & the ecosystems – research & get excited.

👉 Step 2 – Learn IT & OT/ICS basics - acronyms, device types, famous attacks, key differences between IT & OT, and more.

👉 Step 3 – Mappings across IT/OT processes, layers of Automation stack, Purdue Model & domain specific knowledge areas.

👉 Step 4 – Know the career tracks / options (tasks / skills) & craft a career + progression plan.

Phase B - Execute & Implement the Plan - Breaking into Cybersecurity

👉 Step 5 – Trainings (possibly get certified) (Theory + Practical / hands-on / CTF) (both free & paid).

👉Step 6 – Learn few local / regional / international best practices guidance, standards & regulations.

👉 Step 7 – Find experts / mentor(s), connect & build professional network (find potential projects).

👉 Step 8 – Build resume, online profiles, get connected / network, interview & break into cybersecurity.

Phase C - On-going career progression - Land and expand

👉 Step 9 – Gain experience & stay up-to-date with industry events / changes via online/in-person forums, communities & more.

👉 Step 10 – Advance training/certs to expand hard (e.g. technical) & soft skills (e.g. leadership, presentation/communications etc.).

👉 Step 11 – Several resources to subscribe to —> Read | Watch | Listen | & Practice.

👉 Step 12 – Continuously Learn | Unlearn | Learn per industry trends, personal branding & more.

📢 More on these steps in detail in future posts. 📢

What other important steps you’d recommend? comment below.

2. My Recent Most Viewed Posts:

In case you’ve missed - here are few of my recent most viewed posts.

IT & OT Cybersecurity Strategy

If you fail to plan - you plan to fail.

📢Without a strategy - your strategy is to fail at managing cyber risks.📢

Unlike large enterprise (though you'll find some guilty of it), it's often common for an SMB/SME industrial or manufacturing organizations - not to have a documented IT & OT Cybersecurity Resilience strategy - which leads towards an ad-hoc approach to handling risks and incidents, and ultimately ending up with an unpredictable cost to the business.

-> How not to fail at building an IT & OT Cybersecurity Resilience strategy?

👉 3 steps from a state of "ad-hoc efforts / no defined strategy" ➡ towards ➡ target state of documented 📖 IT & OT Cybersecurity Strategy 📖:

✅1 - Understand your business (vision, mission, growth plans, business workflows, inventory, input from stakeholders, assessments/reviews etc. and associated risks).

✅2 - Understand your technical architecture (IT / OT network data flows, assessments/reviews etc. and associated risks) & select a framework).

✅ 3 - Define and document ➡ goals, objectives and build list of select controls around secure business view, secure architects view & secure operations view ➡ get required approvals and execute.

-> how to 📜 document an 📖 IT & OT Cybersecurity Resilience strategy 📖 ?

👉 3 steps 📜 documenting an IT & OT Cybersecurity Resilience strategy:

✅1 - Business needs (vision, mission & growth plans) derives drafting #cybersecurity #resilience #strategy (mission, vision, goals/objectives).

✅ 2 - A prioritized roadmap with a list of workstreams/initiatives mapped under specific "Goals" and "Objectives" drives - with a set of layered security controls (both administrative + technical) for a "defense-in-depth" approach.

✅ 3 - Rinse, Refine, Repeat - and update per changing business needs for an outcome towards an informed and manageable risk state.

All this coming soon - on #SecuringThingsAcademy!

Anything that you think, I’ve missed that was critical - thoughts? put them in comments below.

IT & OT Cybersecurity Dozen Framework

New to the responsibility as a CISO for an OT Cybersecurity program? Revisiting IT Cybersecurity program maturity? or Want to do both? But not sure where to start? DM or reach out on email below.

Checkout IT & OT Cybersecurity Dozen Framework (by M. Yousuf Faisal) from:

• Assess/Review ✅

• Roadmap ✅

• Strategy ✅

• Policy ✅

• Best Practices Standards Requirements ✅

• Checklists ✅

• Supporting Artefacts ✅

• Selection of IT/OT Security tools (OT IDS/Anomaly Detection) ✅

• Exercises and Security Testing requirements...✅

• and more....✅

👉 Assess, Define, Build and Execute an IT & OT Cybersecurity program.

👉 Planning such an initiative in 2024 for single / multi-site deployments❓

👉 For manufacturers / industrial organizations

Let's not leave it to next year / later - start assessing, defining and executing your cybersecurity strategy of things in 2024 ;-)

OT Visibility - Assets, Traffic flow, Vulnerabilities, & Risks

Taking an informed decision or a blind/risky decision when selecting an OT Security Solution, or just based on analyst firms?

OT Anomaly detection (OT AD) / OT Behavioural Anomaly Detection (OT-BAD) / OT IDS security solutions are a critical technical control to be implemented, as part of overall OT Cybersecurity Program. 
 
✅ Checkout our 3 Phase approach to 👉 Vendor Evaluation & Selection which can be easily tailored for your specific needs
 
👉 Criteria around 10 Key Topic areas below with 60+ requirements, each with an adjustable weightage - add per your specific needs:

1 – Market Analysis & Industry Coverage
2 – Asset, Risks & Vulnerability Discovery
3 – Topology / data flows & Virtual Zones
4 – Anomaly Detection & Threat Intel.
5 – Events, Alerts, Incidents & Investigations
6 – User Interface (Mgmt. Dashboard & Reports) - Ease of Use
7 – Architecture & Implementation Flexibility - Ease of Deployment 
8 – Integrations Capabilities (with existing tech Stack)
9 – Standards & Frameworks Support
10 – Cost & Support (Price flexibility & Prof. Support)
 
Planning such an initiative in 2024 for single/multi-site deployments❓
 
Providing independent advisory & consultation on (but not limited to):
👉 Solution Concept Awareness Training ✅
👉 Solution Comparison - per your specific business needs ✅ → see below
👉 Solution Implementation (select leading solutions) ✅
👉 Post implementation review and OT network hygiene analysis.✅
 
Read more at → OT / ICS Asset Discovery, Vulnerabilities & Threat Detection (or OT IDS / AD) Solution Selection & Implementation.

OT Cybersecurity Management System (OT CSMS)

Original post here → OT CSMS and OT security awareness as critical part.

📖OT Cyber Security Management System (CSMS)📚as per ISA 62443-2-1 standards:
 
👉 Comprises of ➡ Categories | Elements | Element Groups
 
👉 Categories include ➡ (1) Risk Analysis | (2) Addressing Risk with the CSMS | (3) Monitoring & Improving the CSMS
 
👉 Element Include ➡ Business Rationale and Risk Identification, Classification & Assessment (under # 1) + Compliance/Conformance & Review, Improve & maintain CSMS (under # 3)
 
👉Element Groups Include ➡ Security Policy, Organization, and Awareness | Selected Security Countermeasures | Implementation (under # 2)
 
Each of the above Elements Groups includes:
 
👉 Security Policy, Organization, and Awareness ➡ CSMS scope, Organizational Security, Staff Training & Security Awareness, Business Continuity Plan, Security Policies & Procedures.
 
👉 Selected Security Countermeasures ➡ Network Segmentation, Access Control (Administration, Authentication, Authorization), Personnel Security, Physical & Environmental Security.
 
👉 Implement ➡ Risk Management and Implementation, System Development and Maintenance, Information and Document Management, Incident Planning & Response.
 
👉 Element Group Awareness Include ➡ Staff Training and Security Awareness ➡ that's where IT & OT CySEAT comes in.
 
✅ CSMS process flows:

👉 Initiate CSMS Program --> Initial High-level Risk Assessment --> Detailed Risk Assessment --> Establish Policy, Organization & Awareness -> Select and Implement Controls --> Maintain the CSMS.✅ 
 
There are opportunities and elements missing in the current standard for CSMS📋the upcoming version update hopefully will add these missing pieces, can you spot and list them📜in comments below⁉

If you are just starting out in OT Cybersecurity journey checkout - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit with limited free IT & OT CySEAT (launch offer only).

Checkout #CySEAT teaser intro below.

Please DM or reach out to me if you are an asset owner and interested to participate in the discounted beta offer coming soon. Or know any asset owners that may be planning (starting or struggling with) OT Cybersecurity program journey and or simply looking to uplift staff skills sets?, without breaking the budget, please share this post, it’ll be of an enormous help. . 

Other services - Security Awareness Training & Phishing Awareness Portal for SMBs - visit https://start.securingthings.io/training & register your interest.

Whenever you are ready - I can help you/your organization with the all items highlighted in this edition - reach out at info[at]securingthings[dot].com.

3. My Ask

Do share, comment and add your experience and insights - as as this may help someone for bringing some clarity and choices in their career decisions and or progression. Our world needs more cybersecurity professionals.

Also, I invite #SecuringThings community to share their insights, feedback, and wish list for the year on:

• any industry specific pain points & potential resolutions of keen interest?

• what did you like about this and or previous editions?

• what could be improved?

• what you’d like to see in future editions?

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn and or @securingthings on X/Twitter.

#securingthings #itotstrategy #otsecuritydozen #cybersecuritystrategy #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity  #icssecurity #isa #icscybersecurity #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure #NIST #ISO #criticalinfrastructureprotection  #criticalinformationinfrastructure #sgcii  #securityawareness  #otsecurityawareness #icssecurityawareness #otstrategy  #icscybersecurityprogram #otcybersecurityprogram #manufacturing  #industrialcontrolsystems #industrialautomation #strategypresentation #security #CyberSecurity #Automation #Engineering #ICS #Technology