Table of Contents

• IT & OT Cybersecurity & Resilience

  • Strategy

  • Program, Roadmap & Execution

  • Management

• My Ask

Hi Securing Things Community,

Are you struggling to get started with IT & OT Cybersecurity - Strategy, Program, Execution and Management?. Something that aligns with your business vision, objectives, growth plans, operations, and has the potential to get leadership attention / buy-in to be an integral part of the overall business mission. But not sure where to start?

If so, you’re definitely not alone.

Finding the right balance for a sustainable and actionable IT & OT Cybersecurity & Resilience strategy, program, execution and management, is one of the biggest challenges for aspiring or current CISOs or security leaders. CISOs for SMB to large manufacturers are being tasked with additional responsibility of cybersecurity for the OT/ICS side of the business as well.

But by the end of this issue, you’ll have a simple framework you can follow to uncover (one of the few) a reasonable approach to addressing this challenge.

Let’s dive in.

IT & OT Cybersecurity & Resilience

Most organizations, starts with discovery and or proper assessment/reviews and directly jump into applying fixes, that may leads to unforeseen challenges and hinders executing program (especially activities on OT security program) - common mistake that falls short. A smarter approach (one example) is outlined below.

Strategy

If you fail to plan - you plan to fail.

📢Without a strategy - your strategy is to fail at managing cyber risks.📢

Unlike large enterprise (though you'll find some guilty of it), it's often common for an SMB/SME industrial or manufacturing organizations - not to have a documented IT & OT Cybersecurity Resilience strategy - which leads towards an ad-hoc approach to handling risks and incidents, and ultimately ending up with an unpredictable cost to the business.

-> How not to fail at building an IT & OT Cybersecurity Resilience strategy?

👉 3 steps from a state of "ad-hoc efforts / no defined strategy" ➡towards ➡ target state of documented 📖#IT & #OT #Cybersecurity #Strategy📖:

✅1 - Understand your business (vision, mission, growth plans, business workflows, inventory, input from stakeholders, assessments/reviews etc. and associated risks)

✅2 - Understand your technical architecture (IT/OT network data flows, assessments/reviews etc. and associated risks) & select a framework)

✅3 - Define and document ➡ goals, objectives and build list of select controls around secure business view, secure architects view & secure operations view ➡ get required approvals and execute.

-> how to📜document an 📖IT & OT Cybersecurity Resilience strategy📖?

👉 3 steps📜documenting the an IT & OT Cybersecurity Resilience strategy:

✅1 - Business needs (vision, mission & growth plans) derives drafting #cybersecurity #resilience #strategy (mission, vision, goals/objectives)

✅2 - A prioritized roadmap with a list of workstreams/initiatives mapped under specific "Goals" and "Objectives" drives - with a set of layered security controls (both administrative + technical) for a "defense-in-depth" approach.

✅3 - Rinse, Refine, Repeat - and update per changing business needs for an outcome towards an informed and manageable risk state.

Checkout details on previous posts:

• Read a bit background on Digital Transformation & Cybersecurity Strategy - Premier.

For more details, checkout the following posts:

• How to write an IT & OT Cybersecurity & Resilience Strategy

• How to present an IT & OT Cybersecurity & Resilience Strategy.

Program, Roadmap & Execution

Checkout IT & OT Security Dozen framework by M. Yousuf Faisal for help you build a program and develop an execution plan across 3 phases of project lifecycle. Each of the 3 phases and elements within each phase is outlined below.

-Assess/Review ✅
- Strategy ✅ - Roadmap ✅
- Policy ✅
- Best Practices Standards Requirements ✅
- Checklists ✅
- Supporting Artefacts ✅
- Selection of IT/OT Security tools (OT IDS/Anomaly Detection) ✅
- Exercises and Security Testing requirements...
- and more....

👉 Assess, Define, Build and Execute an IT & OT Cybersecurity program.

👉 Planning such an initiative in 2024 for single/multi-site deployments❓

👉 Reach out to info[at]securingthings[dot].com

Let's not leave it to next year/later - start assessing, defining and executing your cybersecurity strategy of things in 2024 ;-).

Management

Program roadmap execution and later establishing IT & OT Cybersecurity Management System is a necessity and ensures continual monitoring and improvement of cybersecurity efforts within the organization.

Many are familiar with the concept of ISO 27001 based ISMS (information security management systems) concepts - so for the purpose of this post we’ll not be discussing about that. In case of any interests; do please let me know in comments and I’ll cover this in a future topic.

Similar concept as part of ISA/IEC 62443 standards exits for building and running an OT Cybersecurity Management System (OT-CSMS). Below is a short intro:

📖OT Cyber Security Management System (CSMS) 📚 as per ISA 62443-2-1 standards:
 
👉 Comprises of ➡Categories | Elements | Element Groups
 
👉 Categories include ➡(1) Risk Analysis | (2) Addressing Risk with the CSMS | (3) Monitoring & Improving the CSMS
 
👉 Element Include ➡Business Rationale and Risk Identification, Classification & Assessment (under # 1) + Compliance/Conformance & Review, Improve & maintain CSMS (under # 3)
 
👉 Element Groups Include ➡Security Policy, Organization, and Awareness | Selected Security Countermeasures | Implementation (under # 2)
 
Each of the above Elements Groups includes:
 
👉 Security Policy, Organization, and Awareness ➡CSMS scope, Organizational Security, Staff Training & Security Awareness, Business Continuity Plan, Security Policies & Procedures.
 
👉 Selected Security Countermeasures ➡Network Segmentation, Access Control (Administration, Authentication, Authorization), Personnel Security, Physical & Environmental Security.
 
👉 Implementation ➡Risk Management and Implementation, System Development and Maintenance, Information and Document Management, Incident Planning & Response
 
👉 Element Group Awareness Include ➡ Staff Training and Security Awareness ➡that's where IT & OT CySEAT comes in.
 
✅ OT CSMS process flows like this👉Initiate CSMS Program --> Initial High-level Risk Assessment --> Detailed Risk Assessment --> Establish Policy, Organization & Awareness -> Select and Implement Controls --> Maintain the OT CSMS.
 
There are opportunities and elements missing in the current standard for OT CSMS📋the upcoming version update hopefully will add these missing pieces, can you spot and list them📜in comments below⁉

📢Coming soon - on Securing Things Academy 📢

Subscribe to Securing Things Newsletter here to get an additional 5% discount on top of the mega launch discount. Deadline for this is from June to 31st Aug 2024.

My Ask

I’d love to hear what challenges you as a Securing Things community / CISO’s / security leader are facing in your business. What can I write about to help you in your professional journey?

Here's to Securing Things in 2024! Take care and Best Regards.

How are we doing?

I invite you as part of #SecuringThings community to share your feedback.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society.

Let us know how we can improve this and or what you’d like to see in future?

Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until the next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal. (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy). 

Follow Securing Things on LinkedIn | X/Twitter & YouTube.