Part # 2 - OT / ICS Cyber security Policy & Governance

[Securing Things by M. Yousuf Faisal]

This is Part 2 - OT / ICS Cyber security Policy & Governance of “The OT Security Dozen - The OT Security Dozen – a 12-part series of building an OT / ICS Cyber security Program – essential part of building an OT/ICS Cyber security / Management Systems (OT CSMS) or Program governance for an industrial operations environment.

Note: you may have noticed that OT/ICS cybersecurity awareness is a common theme across "The OT Security Dozen," and hence no exclusive part on awareness itself. The aim for this series is to raise awareness on each type of controls covered, and therefore is considered an essential/integral necessity across this 12-part series.

Table of Contents

Assuming: after performing Part # 1 OT/ICS Cyber security Assessment / Reviews against your industrial network environment; hopefully by now we have a prioritized list of actionable road-map or a baseline framework in place to build and execute an OT/ICS Cyber security program and strategy.

OT/ICS Cybersecurity Program & Industry Standards

Relevant Reference Industry Specific Regulations

Following are OT/ICS specific government and or regulatory bodies example regulation and guidance examples:

  • North American Electric Reliability Corporation (NERC) – not-for-profit. Bulk Electric System’’ (BES) reliability in North America. NERC have matured over last 12 years or so & has capability of enforcement.

  • NERC CIP (Critical Infrastructure Protection) - Set of cyber security requirements focused on OT/ICS cyber systems that are evolving and improving continuously based on industry changes with publicly available high-level enforcement actions.

  • US – SP800-82 and NIST SP800-53.

  • UK – Center of the Protection of National Infrastructure (CPNI)

  • Germany – Bureau of Information Security (BSI) & Energy & Water Association (BDEW).

  • APAC - Critical Infrastructure (CI/CII) regulations from Singapore, Australia, & others.

Prerequisites for OT/ICS Policy Build – A Program

Before you initiate a policy build, there are certain per-requisites and one such comes at initiating an OT/ICS cyber security program. Establish a repeatable and a measurable process for OT/ICS cyber security program improvement. Things to do are:

  1. Leadership & Scope – identifying key stakeholders and executives to gain support for program sponsorship and also define a clear scope.

  2. Delegate ownership, build team & Identify Requirements & Risks  –  appoint a person responsible for taking ownership of the program (either the CISO organization, a common trend these days, and or a dedicated OT security program within the OT team), then build a team ideally with a combination of cyber security & OT SME resources from IT & OT/ICS teams. Identify business risks, architectural & vulnerability risks, regulatory requirements while taking into account inventory discovered and findings from audit/assessments earlier.

  3. Establish, Enforce & Maintain Policy & Procedures – Follow, repeat agile practices for establishing, publishing, and enforcing policies. Ensure maintaining and updating policies through an iterative continuous repeatable process cycle.

According to Gartner; “by 2023, 75% of organizations will restructure risk and security governance to address converged IT, OT, Internet of things (IOT) and physical security needs, an increase from fewer than 15% in 2021”.

OT/ICS Policy - As a Layer in The Defense In Depth Model

In an overall OT/ICS integrated multi-layer defense in depth model or concept, where multiple layers of controls / defenses are tied together to reach a goal of securing:things; "Policy" is one layer of defense.

A comprehensive IT & OT Cybersecurity programs contain several type of documents, as shown in the figure below. Some organizations follow drafting, publishing, enforcing and maintaining  these document types and some organizations merge topic specific elements (e.g., policy and controls and or policies and procedures and or policy or guidance together) into different sections of these document types. IETF RFC 2119 is an often used reference.

Note: For the purpose of this article, we’ll limit discussion at the Policy level only.  

Policies covers and outlines high-level corporate business goals and objectives. These are applicable to all personnel including permanent, contracted staff and vendors. These policies are further elaborated and supported via standards, guidelines and procedures type documents. Nonperformance typically results in disciplinary actions.

OT/ICS Cybersecurity Policy is at the heart of building and running an “OT/ICS Cybersecurity strategy and program”, and is closely related to OT Cybersecurity Management Systems (CSMS).

OT/ICS Policy Resources & Construct

For creating the policy, there are variety of resources to be referenced, utilized or consumed e.g., enterprise or IT cyber security policies. Look at style, language, length into account, copy what's common between IT & OT, modify for OT/ICS inclusion, work with management | IT & OT teams to define clear scope & goals.

SANS policy website is a great place to start for free among many other sources. Take references from ISA/IEC 62443, NIST, CSC, NERC CIP, CSC, SG CII, ISO 27001 and other industry standards and regulatory bodies applicable for the organization.

While writing policy, as per SANS, be concise, clear, specific and should meet SMART objectives i.e. be Specific, be Measurable, be Achievable, be Realistic & be Time-based.

The policy should also cover 5 W’s (who, what, where, when, why) & guiding principles, while clearly outlining roles & responsibilities, actions required to be taken to meet compliance, along with sufficient guidance, so that a specific procedure can be developed.

OT/ICS cyber security policy example construct is highlighted below (but not limited to):

Most organizations in industrial sector e.g. in critical infrastructure, use guidance from industry standards (e.g., NIST CSF, IEC 62443, NIST 800-53, NIST 800-82, CSC Top 20 and perhaps in near future NIST SP 800-82r3, once the update guidance is published) and or sector specific and or government specific regulations. 

Policy Governance & Reviews

Compliance controls are established to ensure compliance with policies and external regulations for accuracy and reliability of business processes; ultimately measuring the level of organizational performance.

Organizations must work actively to ensure and promote a culture of compliance with controls and objectives for policies to remain effective. Therefore, organizational leadership must provide sufficient funding and resources to do the following:

  1. Conduct Awareness Training: provide adequate and frequent training programs (mandatory) with real work examples.

  2. Set measurable performance goals: tied to personnel for regulatory & policy compliance. Clearly highlight consequences and provide anonymous channels for reporting violations.

  3. Run an Audit Program: implement and execute a comprehensive compliance/audit program to track metrics and incidents and reporting results to senior management/board.

Note: Policies must be reviewed and updated periodically (at-least annually or upon a major change within the business/technical environment) to be relevant and useful for the organization. 

Recommendations

Remember to use principles of SMART and five W’s to review policies on annual basis or according to major business/technology changes.

Ensure alignment of the policies with business needs including industry and government regulatory requirements and proper dissemination to all parties/stakeholders with needed awareness training.

Key Takeaways

Policies are high-level directives that helps establish a plan. Once the draft OT/ICS cyber security policy is available, we are on our way to getting buy-in from leadership & all stakeholders. Open approval, policy aligned with organizational business needs, is to be published, enforced and disseminated to all required parties. Later, maintaining and updating the policy ensures its effective applicability on an on-going basis.

Next Steps

OT/ICS cyber security program and governance strategy starts with high-level directives via OT/ICS cyber security policy (with defined objectives & goals). After this from governance perspective you could think of establishing OT/ICS Cyber security Management Systems (OT CSMS) (to be covered in future posts outside of this series).

Feel free to reach out if you have similar needs.

This completes our Phase 1 - Evaluate | Assess | Discover | Define (Identify) as part of the OT/ICS cyber security lifecycle.

Stay tuned for the Phase 2 - Implement | Deploy (Predict, Protect/Prevent & Detect) - starting with Part 3 – OT / ICS Cyber security Architecture & Segmentation (between IT & OT networks) - coming soon….

It’s a great day to start securing:things! 

#ot #otsecurity #otcybersecurity #ics #icssecurity #icscybersecurity #policy #policydevelopment #otpolicy #icspolicy #operationaltechnology #isa #iec62443 #criticalinfrastructure #criticalinfrastructureprotection #criticalinformationinfrastructure #sgcii #securityawareness #securitygovernance #otstrategy #icscybersecurityprogram #otcybersecurityprogram #theotsecuritydozen #otsecuritydozen #securingthings

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpages, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.