Table of Contents

• Internal Audit and IT & OT Cybersecurity Program

  • 1. Challenges for Internal Audit Teams

  • 2. Suggested Approach for Internal Auditors

  • 3. My most viewed social media posts

Hi Securing Things Community, this newsletter edition is specific to internal audit teams, working at an asset owners / end user environments (industrial manufacturing and or critical infrastructure), that are tasked to conduct audit activities, not only around IT infrastructure or operations, but also for OT/ICS or production control network environments.

Internal Audit and IT & OT Cybersecurity Program

1. Challenges for Internal Audit Teams

Internal audit teams are now being challenged to keep a rigorous view on OT security program activities as well, in addition to IT security / services and other technology based program activities. In many cases, audit teams may not be familiar or skilled in understanding the risks across the OT/ICS or production control systems / network environments. So they may rely completely on either their internal counterparts in CISO/CIO business unit(s) and or external auditors (typically big 4 or niche specialist consulting firms) to help with an independent view on the current state and or maturity of the program. While that is important and totally fine; audit teams should also be equipping themselves to build some internal skill sets and capabilities on understanding IT & OT cybersecurity risks and be able to digest views presented by internal / external stakeholders to form their audit opinions.

2. Suggested Approach for Internal Auditors

Below is a high-level approach that audit teams / internal auditors can adopt to have a sound grasp in keeping tabs on IT & OT cybersecurity program activities across the business (but not limited) to:

👉 Understand business vision and mission.

👉 Understand departments (Audit) mission in support for the business mission.

👉 Understand what drives the business and what's critically important for its success?

👉 Understand a typical manufacturing workflow or lifecycle for the business.

👉 Know the key stakeholders across that manufacturing workflow.

👉 Understand Governance and Org. structure.

👉 Understand IT/enterprise technology stack and business processes.

👉 Understand OT/ICS key technology stack and production processes.

👉 Understand what local / regional regulatory frameworks the business needs to comply with?

👉 Understand Digital strategy for the business (if business have one documented) - if none exists - highlight this as a potential risk.

👉 Understand both IT & OT Cybersecurity Strategy - if none exists - highlight this as a potential risk.

👉 Understand joint IT & OT Governance steering committee structure and either get the steering co. regular updates and or and be a participant - depending upon org. culture. If no such joint committee - highlight this as a potential risk.

👉 Understand Cybersecurity program / roadmap - typically a 1 to 3 year plan (if any) and its alignment with the business mission.

👉 Understand ISMS for IT and CSMS for OT (if business have one) and or any other frameworks used - if none exists - highlight this as a potential risk.

👉 Understand IT & OT/ICS network architecture and segregation - if none exists - highlight this as a potentially high risk.

👉 Understand IT Cybersecurity controls and their ability to reduce risks on business systems / operations - if none exists - highlight this as a potential risk.

👉 Understand OT Cybersecurity controls and their ability to reduce risks on production systems / operations - if none exists - highlight this as a potential risk.

👉 Understand security controls / solution that provides visibility across production control network environments e.g., any OT IDS / Network Monitoring or Anomaly Detection Solution used. Ensure at-least a foundational high-level understanding of the solution monitoring scope (any exclusions), solution components, architecture and capabilities or control functions it provides.

👉 Understand Cybersecurity Monitoring and see if enterprise SIEM is ingesting logs both from key IT security tools and OT IDS/anomaly detection solution for log correlation and being monitored (in house / by MSSP) - if none exists - highlight this as a potential risk.

👉 Understand the type of monitoring use cases that are in place, any baselines created for network traffic, SOPs for handling alerts - if none exists - highlight this as a potential risk.

👉 Develop an internal checklists and request information from IT & OT security, technology, production and engineering teams to ensure a sound due diligence process in place by audit team (as an independent business unit) on measuring the security program effectiveness and risks are tracked.

👉 Keep up-to-date with latest developments within the business itself, overall within the industry, emerging tech and its uses, geopolitical or environmental risks, attacks and or threat groups targeting the industry sector in which the business operates.

👉 Keep routine checks per the define audit frequency. In addition, perform spot checks during the year to take a proactive approach on identifying potential outlier scenarios and engage relevant teams for addressing them in a timely fashion.

Hope this helps providing a foundation approach an internal audit team can rely on to build its understanding and the ability to approach auditing cybersecurity program activities both for IT & OT/ICS environments.

All this and more are covered in Securing Things Academy upcoming offering - IT & OT CySEAT (Cybersecurity Education & Awareness Training).

Anything critical I missed? - Anything additional you’d like to add and or you’ve included in your internal audit strategy that have helped your or your client’s businesses? - please add below.

3. My most viewed social media posts

• AI Cybersecurity Policy & Reference Guidance - covers:

  -> AI cybersecurity policy construction (key elements)

  -> AI cybersecurity policy build - project execution (steps to follow)

  -> AI cybersecurity standards, framework, guidance reference resources.

• Step 4 of Phase A of Getting Started in IT & OT Cybersecurity - blueprint by M. Yousuf Faisal - covers:

  -> IT & OT Cybersecurity Competence Frameworks (reference examples)
  -> IT & OT - Plan cybersecurity career roadmap.
  -> Securing Things Academy (STA) updates.
  

• Step 3 of Phase A of Getting Started in IT & OT Cybersecurity - blueprint by M. Yousuf Faisal - covers:

  -> Manufacturing workflow

  -> IT & OT - layers of automation stack,

  -> IT & OT security principles and typical list of processes,

  -> Example specific CII sectors & more.

  -> few other interesting cybersecurity resources / links,

  -> Securing Things Academy (STA) updates.

• IT & OT Cybersecurity - Strategy, Program, Execution & Management - covers:

  -> A recommended approach towards building and executing IT & OT Cybersecurity & Resilience Strategy

  -> a brief introductory video explainer

  -> Securing Things Academy (STA) updates.

How are we doing?

I invite you as part of #SecuringThings community to share your feedback.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society.

Let us know how we can improve this and or what you’d like to see in future?

Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until the next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal. (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy). 

Follow Securing Things on LinkedIn | X/Twitter & YouTube.