Getting started in IT & OT Cybersecurity

[Securing Things by M. Yousuf Faisal]

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Originally Published on = April 22, 2024.

Revised / Updated on = October 11, 2024.

Hi Securing Things Community,

In this newsletter edition, per the poll results from last edition - Cybersecurity (IT, OT, AI / LLMS, Open source) Insights from Q1 2024, we’ll be covering a short blueprint primer on Getting started in IT & OT Cybersecurity”. Plus, some of my recent most viewed social media posts in April 2024 and my asks.

Special Message:

Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

If you are new to Securing Things newsletter, be sure to hit subscribe, validate your email address to ensure that you don’t miss any future newsletter editions.

For all those that have subscribed & verified (approx. 63%) and filled short survey form - I’d like to sincerely thank you for your time and interest. For the rest of 37% subscribers who have not validated their email addresses - do verify your email at your earliest convenience to avoid missing out future newsletter post not reaching your mailbox (make sure to whitelist the email address to get timely notification).

1. Getting started in IT & OT Cybersecurity

3 phase & 12 steps blueprint forGetting started in IT & OT Cybersecurity”:

Getting started in IT & OT Cybersecurity - Blueprint by M. Yousuf Faisal

The 3 phases are:

  • Phase A - Initiate, Validate, Prepare & Plan

  • Phase B - Execute & Implement the Plan - Breaking into Cybersecurity

  • Phase C - On-going career progression - Land and expand.

The 3 Phases of the Getting Started in IT & OT/ICS Cybersecurity Blueprint

Who’s this for?

Each of the 12 steps from a perspective of following persona types:

  • A recent graduate or learner - interested in getting into cybersecurity.

  • An IT security professional - interested in getting started in OT Security.

  • An automation professional - interested in getting started in OT security.

  • An experienced professional from a non-IT/Security/Automation field - interested in getting started in IT/OT security.

For 4 Persona Types

What are the 12 Steps?

Phase A - Initiate, Validate, Prepare & Plan

👉 Step 1 – Get to know the Industry, stakeholders, critical infrastructure sectors & the ecosystems – research & get excited.

👉 Step 2 – Learn IT & OT/ICS basics - acronyms, device types, famous attacks, key differences between IT & OT, and more.

👉 Step 3 – Mappings across IT/OT processes, layers of Automation stack, Purdue Model & domain specific knowledge areas.

👉 Step 4 – Know the career tracks / options (tasks / skills) & craft a career + progression plan.

Phase A of the Blueprint

Phase B - Execute & Implement the Plan - Breaking into Cybersecurity

👉 Step 5 – Trainings (possibly get certified) (Theory + Practical / hands-on / CTF) (both free & paid).

👉Step 6 – Learn few local / regional / international best practices guidance, standards & regulations.

👉 Step 7 – Find experts / mentor(s), connect & build professional network (find potential projects).

👉 Step 8 – Build resume, online profiles, get connected / network, interview & break into cybersecurity.

Phase B of the Blueprint

Phase C - On-going career progression - Land and expand

👉 Step 9 – Gain experience & stay up-to-date with industry events / changes via online/in-person forums, communities & more.

👉 Step 10 – Advance training/certs to expand hard (e.g. technical) & soft skills (e.g. leadership, presentation/communications etc.).

👉 Step 11 – Several resources to subscribe to —> Read | Watch | Listen | & Practice.

👉 Step 12 – Continuously Learn | Unlearn | Learn per industry trends, personal branding & more.

Phase C of the blueprint

What other important steps you’d recommend? comment below.

What’s Your Blueprint? and Why have one?

Is this “the only” or "the best” blueprint out there - definitely not. This is just an approach to help you navigate your journey - if you match of the 4 persona types outlined earlier.

However, not having one, in the long run, will cost you for your time, effort, and career.

Below is an example list of pros (planned) and cons (un-planned) career journey and what to expect in each scenario:

Pros & Cons of working on a blueprint vs. going with the flow

Build yours - wishing you all the best in your career progression - wherever you are in that journey.

📢 More on the blue print and 3 phases and 12 steps in detail in future posts. 📢

2. My Recent Most Viewed Posts:

In case you’ve missed - here are few of my recent most viewed posts.

IT & OT Cybersecurity Strategy

If you fail to plan - you plan to fail.

📢Without a strategy - your strategy is to fail at managing cyber risks.📢

Unlike large enterprise (though you'll find some guilty of it), it's often common for an SMB/SME industrial or manufacturing organizations - not to have a documented IT & OT Cybersecurity Resilience strategy - which leads towards an ad-hoc approach to handling risks and incidents, and ultimately ending up with an unpredictable cost to the business.

-> How not to fail at building an IT & OT Cybersecurity Resilience strategy?

👉 3 steps from a state of "ad-hoc efforts / no defined strategy" ➡ towards ➡ target state of documented 📖 IT & OT Cybersecurity Strategy 📖:

1 - Understand your business (vision, mission, growth plans, business workflows, inventory, input from stakeholders, assessments/reviews etc. and associated risks).

2 - Understand your technical architecture (IT / OT network data flows, assessments/reviews etc. and associated risks) & select a framework).

✅ 3 - Define and document ➡ goals, objectives and build list of select controls around secure business view, secure architects view & secure operations view ➡ get required approvals and execute.

-> how to 📜 document an 📖 IT & OT Cybersecurity Resilience strategy 📖 ?

👉 3 steps 📜 documenting an IT & OT Cybersecurity Resilience strategy:

1 - Business needs (vision, mission & growth plans) derives drafting #cybersecurity #resilience #strategy (mission, vision, goals/objectives).

✅ 2 - A prioritized roadmap with a list of workstreams/initiatives mapped under specific "Goals" and "Objectives" drives - with a set of layered security controls (both administrative + technical) for a "defense-in-depth" approach.

✅ 3 - Rinse, Refine, Repeat - and update per changing business needs for an outcome towards an informed and manageable risk state.

STL IT & OT Cybersecurity & Resilience Strategy by M. Yousuf Faisal

All this coming soon - on #SecuringThingsAcademy!

Anything that you think, I’ve missed that was critical - thoughts? put them in comments below.

IT & OT Cybersecurity Dozen Framework

New to the responsibility as a CISO for an OT Cybersecurity program? Revisiting IT Cybersecurity program maturity? or Want to do both? But not sure where to start? DM or reach out on email below.

Checkout IT & OT Cybersecurity Dozen Framework (by M. Yousuf Faisal) from:

  • Assess/Review

  • Roadmap

  • Strategy

  • Policy

  • Best Practices Standards Requirements

  • Checklists

  • Supporting Artefacts

  • Selection of IT/OT Security tools (OT IDS/Anomaly Detection)

  • Exercises and Security Testing requirements...

  • and more....

👉 Assess, Define, Build and Execute an IT & OT Cybersecurity program.

👉 Planning such an initiative in 2024 for single / multi-site deployments❓

👉 For manufacturers / industrial organizations

Let's not leave it to next year / later - start assessing, defining and executing your cybersecurity strategy of things in 2024 ;-)

STL’s IT & OT Cybersecurity Framework by M. Yousuf Faisal

OT Visibility - Assets, Traffic flow, Vulnerabilities, & Risks

Taking an informed decision or a blind/risky decision when selecting an OT Security Solution, or just based on analyst firms?

OT Anomaly detection (OT AD) / OT Behavioural Anomaly Detection (OT-BAD) / OT IDS security solutions are a critical technical control to be implemented, as part of overall OT Cybersecurity Program. 
 
Checkout our 3 Phase approach to 👉 Vendor Evaluation & Selection which can be easily tailored for your specific needs
 
👉 Criteria around 10 Key Topic areas below with 60+ requirements, each with an adjustable weightage - add per your specific needs:

1 – Market Analysis & Industry Coverage
2 – Asset, Risks & Vulnerability Discovery
3 – Topology / data flows & Virtual Zones
4 – Anomaly Detection & Threat Intel.
5 – Events, Alerts, Incidents & Investigations
6 – User Interface (Mgmt. Dashboard & Reports) - Ease of Use
7 – Architecture & Implementation Flexibility - Ease of Deployment 
8 – Integrations Capabilities (with existing tech Stack)
9 – Standards & Frameworks Support
10 – Cost & Support (Price flexibility & Prof. Support)
 
Planning such an initiative in 2024 for single/multi-site deployments❓
 
Providing independent advisory & consultation on (but not limited to):
👉 Solution Concept Awareness Training
👉 Solution Comparison - per your specific business needs → see below
👉 Solution Implementation (select leading solutions)
👉 Post implementation review and OT network hygiene analysis.
 
Read more at → OT / ICS Asset Discovery, Vulnerabilities & Threat Detection (or OT IDS / AD) Solution Selection & Implementation.

STL’s approach to Vendor Evaluation

OT Cybersecurity Management System (OT CSMS)

Original post here → OT CSMS and OT security awareness as critical part.

📖OT Cyber Security Management System (CSMS)📚as per ISA 62443-2-1 standards:
 
👉 Comprises of ➡ Categories | Elements | Element Groups
 
👉 Categories include ➡ (1) Risk Analysis | (2) Addressing Risk with the CSMS | (3) Monitoring & Improving the CSMS
 
👉 Element Include ➡ Business Rationale and Risk Identification, Classification & Assessment (under # 1) + Compliance/Conformance & Review, Improve & maintain CSMS (under # 3)
 
👉Element Groups Include ➡ Security Policy, Organization, and Awareness | Selected Security Countermeasures | Implementation (under # 2)
 
Each of the above Elements Groups includes:
 
👉 Security Policy, Organization, and Awareness ➡ CSMS scope, Organizational Security, Staff Training & Security Awareness, Business Continuity Plan, Security Policies & Procedures.
 
👉 Selected Security Countermeasures ➡ Network Segmentation, Access Control (Administration, Authentication, Authorization), Personnel Security, Physical & Environmental Security.
 
👉 Implement ➡ Risk Management and Implementation, System Development and Maintenance, Information and Document Management, Incident Planning & Response.
 
👉 Element Group Awareness Include ➡ Staff Training and Security Awareness ➡ that's where IT & OT CySEAT comes in.
 
✅ CSMS process flows:

👉 Initiate CSMS Program --> Initial High-level Risk Assessment --> Detailed Risk Assessment --> Establish Policy, Organization & Awareness -> Select and Implement Controls --> Maintain the CSMS.✅ 
 
There are opportunities and elements missing in the current standard for CSMS📋the upcoming version update hopefully will add these missing pieces, can you spot and list them📜in comments below⁉

If you are just starting out in OT Cybersecurity journey checkout - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit with limited free IT & OT CySEAT (launch offer only).

Checkout #CySEAT teaser intro below.

Please DM or reach out to me if you are an asset owner and interested to participate in the discounted beta offer coming soon. Or know any asset owners that may be planning (starting or struggling with) OT Cybersecurity program journey and or simply looking to uplift staff skills sets?, without breaking the budget, please share this post, it’ll be of an enormous help. . 

Ideal candidates for CySEAT training program are practitioners both from IT/ICT Team (CISO/CIO/CDO orgs) and OT/ICS production or plant teams (industrial IT, engineering, operations etc.) that are responsible for building, managing and or part of executing OT cybersecurity program activities designed to improve OT/ICS cybersecurity hygiene for SMB/SME asset owners.

Status: As of writing this, the beta version of CySEAT is 75% ready, slides for 1st modules are ready and recording will begin in the coming week. If you want to engage in live workshop session in May onward (discounted fee apply) please feel free to reach out via DM on LinkedIn and or on below address.

info[@]securingthings[.]com

Whenever you are ready - I can help you/your organization with the all items highlighted in this edition - reach out at info[at]securingthings[dot].com.

3. My Ask

Do share, comment and add your experience and insights - as as this may help someone for bringing some clarity and choices in their career decisions and or progression. Our world needs more cybersecurity professionals.

Also, I invite #SecuringThings community to share their insights, feedback, and wish list for the year on:

  • any industry specific pain points & potential resolutions of keen interest?

  • what did you like about this and or previous editions?

  • what could be improved?

  • what you’d like to see in future editions?

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

Follow: #securingthings on LinkedIn and or @securingthings on X/Twitter.

#securingthings #itotstrategy #otsecuritydozen #cybersecuritystrategy #digitaltransformation #ot #ics #otsecurity #otsecuritydozen #otcybersecurity  #icssecurity #isa #icscybersecurity #securedigitaltransformation #iiot #operationaltechnology #industry40 #iec62443 #criticalinfrastructure #NIST #ISO #criticalinfrastructureprotection  #criticalinformationinfrastructure #sgcii  #securityawareness  #otsecurityawareness #icssecurityawareness #otstrategy  #icscybersecurityprogram #otcybersecurityprogram #manufacturing  #industrialcontrolsystems #industrialautomation #strategypresentation #security #CyberSecurity #Automation #Engineering #ICS #Technology

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.