- Securing Things Newsletter
- Posts
- IT & OT/ICS Cybersecurity Policy(/ies)
IT & OT/ICS Cybersecurity Policy(/ies)
✅[ST # 39] Deciding on the Cybersecurity Policy Route [Securing Things by M. Yousuf Faisal]
M. Yousuf Faisal
December 15, 2024
Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi Securing Things Community,
📢 Welcome to Deciding on IT & OT/ICS Cybersecurity Policy Route🛡️
An organisation that is just starting out on cybersecurity journey, and or specifically OT cybersecurity journey, would face the challenge to make a decision on whether to create:
(a) a single information / cybersecurity policy document with IT & OT policies together.
(b) a separate or new OT security policy document.
(c) and or, take a hybrid approach of the two above with additional supporting standards.
3 Themes Observed
In this newsletter, we’ll be tackling the above question and discuss these 3 approaches I’ve seen across the industry, certain criteria on which you need to make this decision, pros and cons and relevant industry best practices. Also, I’ll be sharing my most viewed social media posts, ways in which I can help, and your support.
Special Message:
Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!
So lets dig in.
Securing Things Academy:
IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list → here.
Checkout a brief overview below:
Why is this such a big deal?
In the last several years (particular since Covid), I have came across several local, regional and or even global manufacturers that did not had an IT and or OT cybersecurity policies in place, or had some IT security policies and procedures bundled within the policy document, however, when it came to OT/ICS related security policies, none existed in almost all cases. Yes, true even end of 2024 for perhaps many.
These manufacturers were motivated to act mainly because of compliance mandates, audit demands, or as a response to a cyber incident.
Implementing a policy is crucial for enabling your IT and OT/ICS or operations teams to effectively apply security best practices across all facilities and locations. This approach ensures consistency and reliability, rather than depending on the diverse culture, knowledge, skills, and intentions of administrative and general staff.
Explore the problem statement and potential solutions with confidence as the following sections provide a detailed comparison of various approaches, document hierarchy, and process flow. Whether you're simply curious or aiming for proficiency, this guide offers the essential resources you need.
Securing Things (Sponsor)
OT CBPRS (Cybersecurity Best Practices Requirements Specification) Toolkit!
The Solution (For Asset Owners Only) - Toolkit to get a head start for your OT/ICS Cybersecurity journey for SMB/SME industrial environment. Bonus - comes with limited complimentary seats for IT & OT CySEAT offering.
Below is a brief walkthrough on the toolkit:
(Note: Next iteration would include the ISA/IEC 62443-2-1 Security Program related requirements).
Reply