Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi Securing Things Community,
📢 Welcome to Deciding on IT & OT/ICS Cybersecurity Policy Route🛡️
An organisation that is just starting out on cybersecurity journey, and or specifically OT cybersecurity journey, would face the challenge to make a decision on whether to create:
(a) a single information / cybersecurity policy document with IT & OT policies together.
(b) a separate or new OT security policy document.
(c) and or, take a hybrid approach of the two above with additional supporting standards.
3 Themes Observed
In this newsletter, we’ll be tackling the above question and discuss these 3 approaches I’ve seen across the industry, certain criteria on which you need to make this decision, pros and cons and relevant industry best practices. Also, I’ll be sharing my most viewed social media posts, ways in which I can help, and your support.
Special Message:
Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!
So lets dig in.
Securing Things Academy:
IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list → here.
Checkout a brief overview below:
Why is this such a big deal?
In the last several years (particular since Covid), I have came across several asset owners (both in critical infrastructure and local, regional and or even global manufacturers) that did not had an IT and or OT cybersecurity policies in place, or had some IT security policies and procedures bundled within the policy document, however, when it came to OT/ICS related security policies, none existed in almost all cases. Yes, true even end of 2024 for perhaps many.
These asset owners (CII / manufacturers) were motivated to act mainly because of compliance mandates, audit demands, or as a response to a cyber incident.
Implementing a policy is crucial for enabling your IT and OT/ICS or operations teams to effectively apply security best practices across all facilities and locations. This approach ensures consistency and reliability, rather than depending on the diverse culture, knowledge, skills, and intentions of administrative and general staff.
Explore the problem statement and potential solutions with confidence as the following sections provide a detailed comparison of various approaches, document hierarchy, and process flow. Whether you're simply curious or aiming for proficiency, this guide offers the essential resources you need.
Securing Things (Sponsor)
OT CBPRS (Cybersecurity Best Practices Requirements Specification) Toolkit!
The Solution (For Asset Owners Only) - Toolkit to get a head start for your OT/ICS Cybersecurity journey for SMB/SME industrial environment. Bonus - comes with limited complimentary seats for IT & OT CySEAT offering.
Below is a brief walkthrough on the toolkit:
(Note: Next iteration would include the ISA/IEC 62443-2-1 Security Program related requirements).
Comparison of Key Approaches
Here's a comparison table for approaches to IT & OT cybersecurity policies.
Approaches | Unified / Single Policy Framework for IT & OT/ICS security | Separate or Distinct IT & OT/ICS Security Policies | Hybrid Approach |
|---|---|---|---|
Description | Combine IT and OT policies into a single document. Simplifies management but may overlook specific OT security needs. 🤝 | Separate policy documents for IT and OT, allows tailored security measures and practices. 📄 | A unified policy, complemented by distinct standards for IT and OT cybersecurity, effectively balances collaboration and addresses unique challenges of each environment.⚖️ |
Potential Pros | - Simplicity: Streamlines document management, significantly cutting down on administrative tasks. - Unified Vision: Promotes a comprehensive cybersecurity strategy that integrates IT and OT, cultivating a unified and collaborative security culture.. - Streamlines Compliance: Potentially facilitates compliance with both ISO and ISA standards in one cohesive combined framework. | - Tailored Policies: Each document can focus specifically on the unique needs and risks associated with IT & OT environments, enhancing effectiveness. - Clarity: Clear delineation of responsibilities and protocols for both domains reduces ambiguity and improves understanding. - Focused Training: Easier to develop training programs specific to either IT or OT, enhancing staff preparedness in their respective areas. | - Balanced Approach: Merges the advantages of a cohesive policy with the precision of distinct standards, guaranteeing clarity & upholding consistency in both areas. - Flexibility: Enables updates in specific areas of standards without requiring a complete policy overhaul, ensuring swift and effective responses to new threats. - Enhanced Collaboration: Promotes collaboration between IT and OT teams, acknowledging their unique requirements and cultivating a culture of shared responsibility. |
Potential Cons | - Lack of Specificity: May potentially fails to effectively tackle the distinct challenges and needs of IT and OT environments, resulting in possible security coverage gaps. - Complexity in Implementation: Combining two separate frameworks into a single document may lead to confusion or misinterpretation among staff. - Risk of Dilution: Critical OT security aspects might be overshadowed by IT-focused policies, compromising operational safety. | - Increased Complexity: Handling two distinct documents can increase administrative workload and create potential inconsistencies between policies. - Potential Silos: Potential for divisions between IT and OT teams can lead to communication gaps and misaligned security practices. - Inconsistent Practices: Different policies may lead to varied interpretations and implementations across departments, complicating compliance efforts. | - Moderate Complexity: Although it's easier than handling two complete policies, it still demands meticulous coordination between documents to maintain alignment. - Implementation Challenges: Requires additional effort to seamlessly integrate both sets of standards with the overarching policy framework. - Resource Allocation: Requires resources to develop and maintain multiple documents effectively, which may strain organizational capabilities. |
The Document Hierarchy
Industry best practices suggest a typical document hierarchy as shown below; yet many manufacturers only manage to implement a couple of layers. In more advanced settings, you'll find two or more layers, such as policy, standard, guidelines, and procedures, effectively in place.
Policy Hierarchy
I have covered the creation of OT/ICS Cybersecurity Policy and Governance along with an example policy structure previously, do check out Part 2 of OT Security Dozen series.
The Process and Policy Lifecycle
Developing a comprehensive enterprise security policy, along with IT and OT-specific charter documents, is essential. These documents should be endorsed by executives to ensure the message is effectively communicated throughout the organization. This approach not only demonstrates a proactive stance on cybersecurity but also provides tangible evidence that executives are actively addressing cybersecurity risks.
Regardless of the decision, process for policy creation and a generic policy lifecycle is depicted below:
The Policy Process
The Policy Lifecycle
Decision Criteria
The Decision Process
Decision Criteria for any of the approaches are dependent on varying factors as follows (but not limited to):
Organizational Structure: Assess the level of integration between the IT and OT teams within the organization.
Risk Assessment Needs: Recognize the unique risks present in both IT and OT environments; sectors with higher risk levels might require tailored policies.
Regulatory Compliance Requirements: Determine the industry-specific regulations that require either separate or integrated approaches.
Cultural Fit: Identify the approach that best fits the organizational culture for collaboration between IT and OT teams.
Resource Availability: Evaluate the resources at hand for developing, training, implementing, and maintaining policies effectively.
Industry Best Practices
My most common observations for larger to medium size organisations (that have required capability and resources) are to either have both the policies distinct/separate and or mostly using the hybrid approach. However, for a resource constrained SMB manufacturers may not have the same luxury and hence needs to ensure choosing the right approach for their setup.
It’s a best practice to:
Develop robust frameworks that offer detailed guidance specifically designed for both IT and OT environments. Consider utilizing the NIST Cybersecurity Framework or a blend of ISO 27001 standards with the ISA/IEC 62443 standard series.
Regularly perform risk assessments to pinpoint vulnerabilities in both IT and OT/ICS, ensuring that current policies effectively address existing threats.
Enhance mutual understanding of each domain's challenges by organizing joint training sessions that foster collaboration between IT and OT teams.
Develop robust incident response protocols that integrate both IT and OT systems, ensuring swift recovery from cyber incidents.
Conclusion
While there's no one-size-fits-all solution, it's crucial to select an approach that aligns with your organization's structure, culture, and operations. More importantly, it's imperative for asset owners (CII / manufacturers) to have their policies documented, approved, enforced, implemented, and regularly reviewed to ensure they remain relevant and effective.
Chosen Policy Route
What have you seen across the industry and or know have worked for your organisation, do share in the comments below.
Reach out to us for helping you decide and build/draft your next IT and OT/ICS Cybersecurity Policy Charter, Policy and OT Cybersecurity Best Practices Requirements Specifications (OT CBPRS).
My Recent Most Viewed Social Posts:
In case you’ve missed - here are some of my recent most viewed social posts.
Digital Manufacturing at Risk - Start with Cybersecurity and Digital Transformation Maturity Assessment Reviews Now!
Cybersecurity (IT, OT/ICS, AI, Open source) - Insights from Q3 2024 [Securing Things by M. Yousuf Faisal]
Quantum Computing Cybersecurity Crash Course - the Future Security Concerns.
"Boost Your Defense Game - IT & OT/ICS Cybersecurity Training [Securing Things by M. Yousuf Faisal]"
IT & OT/ICS CySEAT - only on Securing Things Academy (40% off) - Training course brief introduction.
Getting OT/ICS visibility for industrial, data centre or smart buildings environments.
IT & OT Security Dozen framework for building, executing & managing a Cybersecurity & Resilience Transformation Program.
Securing Things Academy:
IT & OT CySEAT (Cyber Security Education And Transformation) course is designed for IT and OT cybersecurity practitioners. Join the wait-list → here.
Checkout a brief overview below:
Ways in which I can help?
Whenever you are ready - I can help you with:
A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.
B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program subscription based service.
C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.
Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.
D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.
Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.
How are we doing?
I invite you as part of #SecuringThings community to share your feedback.
Rate the newsletter content
Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society.
Let us know how we can improve this and or what you’d like to see in future?
Thank you for your trust and continued support.
Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.
Thanks for reading - until the next edition!
It’s a Great Day to Start Securing Things for a Smart & Safer Society.
Take care and Best Regards,
M. Yousuf Faisal. (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy).
