Part # 2 - OT / ICS Cyber security Policy & Governance

This is Part 2 - OT / ICS Cyber security Policy & Governance of “The OT Security Dozen - The OT Security Dozen – a 12-part series of building an OT / ICS Cyber security Program” – essential part of building an OT/ICS Cyber security / Management Systems (OT CSMS) or Program governance for an industrial operations environment.

Note: you may have noticed that OT/ICS cybersecurity awareness is a common theme across "The OT Security Dozen," and hence no exclusive part on awareness itself. The aim for this series is to raise awareness on each type of controls covered, and therefore is considered an essential/integral necessity across this 12-part series.

Table of Contents

• OT/ICS Cybersecurity Program & Industry Standards

• Relevant Reference Industry Specific Regulations

• Prerequisites for OT/ICS Policy Build – A Program

• OT/ICS Policy - As a Layer in The Defense In Depth …

• OT/ICS Policy Resources & Construct

• Policy Governance & Reviews

• Recommendations

• Key Takeaways

• Next Steps

Assuming: after performing Part # 1 OT/ICS Cyber security Assessment / Reviews against your industrial network environment; hopefully by now we have a prioritized list of actionable road-map or a baseline framework in place to build and execute an OT/ICS Cyber security program and strategy.

OT/ICS Cybersecurity Program & Industry Standards

Relevant Reference Industry Specific Regulations

Following are OT/ICS specific government and or regulatory bodies example regulation and guidance examples:

• North American Electric Reliability Corporation (NERC) – not-for-profit. Bulk Electric System’’ (BES) reliability in North America. NERC have matured over last 12 years or so & has capability of enforcement.

• NERC CIP (Critical Infrastructure Protection) - Set of cyber security requirements focused on OT/ICS cyber systems that are evolving and improving continuously based on industry changes with publicly available high-level enforcement actions.

• US – SP800-82 and NIST SP800-53.

• UK – Center of the Protection of National Infrastructure (CPNI)

• Germany – Bureau of Information Security (BSI) & Energy & Water Association (BDEW).

• APAC - Critical Infrastructure (CI/CII) regulations from Singapore, Australia, & others.

Prerequisites for OT/ICS Policy Build – A Program

Before you initiate a policy build, there are certain per-requisites and one such comes at initiating an OT/ICS cyber security program. Establish a repeatable and a measurable process for OT/ICS cyber security program improvement. Things to do are:

1. Leadership & Scope – identifying key stakeholders and executives to gain support for program sponsorship and also define a clear scope.

2. Delegate ownership, build team & Identify Requirements & Risks  –  appoint a person responsible for taking ownership of the program (either the CISO organization, a common trend these days, and or a dedicated OT security program within the OT team), then build a team ideally with a combination of cyber security & OT SME resources from IT & OT/ICS teams. Identify business risks, architectural & vulnerability risks, regulatory requirements while taking into account inventory discovered and findings from audit/assessments earlier.

3. Establish, Enforce & Maintain Policy & Procedures – Follow, repeat agile practices for establishing, publishing, and enforcing policies. Ensure maintaining and updating policies through an iterative continuous repeatable process cycle.

According to Gartner; “by 2023, 75% of organizations will restructure risk and security governance to address converged IT, OT, Internet of things (IOT) and physical security needs, an increase from fewer than 15% in 2021”.

OT/ICS Policy - As a Layer in The Defense In Depth Model

In an overall OT/ICS integrated multi-layer defense in depth model or concept, where multiple layers of controls / defenses are tied together to reach a goal of securing:things; "Policy" is one layer of defense.

A comprehensive IT & OT Cybersecurity programs contain several type of documents, as shown in the figure below. Some organizations follow drafting, publishing, enforcing and maintaining  these document types and some organizations merge topic specific elements (e.g., policy and controls and or policies and procedures and or policy or guidance together) into different sections of these document types. IETF RFC 2119 is an often used reference.

Policies covers and outlines high-level corporate business goals and objectives. These are applicable to all personnel including permanent, contracted staff and vendors. These policies are further elaborated and supported via standards, guidelines and procedures type documents. Nonperformance typically results in disciplinary actions.

OT/ICS Cybersecurity Policy is at the heart of building and running an “OT/ICS Cybersecurity strategy and program”, and is closely related to OT Cybersecurity Management Systems (CSMS).

OT/ICS Policy Resources & Construct

For creating the policy, there are variety of resources to be referenced, utilized or consumed e.g., enterprise or IT cyber security policies. Look at style, language, length into account, copy what's common between IT & OT, modify for OT/ICS inclusion, work with management | IT & OT teams to define clear scope & goals.

SANS policy website is a great place to start for free among many other sources. Take references from ISA/IEC 62443, NIST, CSC, NERC CIP, CSC, SG CII, ISO 27001 and other industry standards and regulatory bodies applicable for the organization.

While writing policy, as per SANS, be concise, clear, specific and should meet SMART objectives i.e. be Specific, be Measurable, be Achievable, be Realistic & be Time-based.

OT/ICS cyber security policy example construct is highlighted below (but not limited to):

Most organizations in industrial sector e.g. in critical infrastructure, use guidance from industry standards (e.g., NIST CSF, IEC 62443, NIST 800-53, NIST 800-82, CSC Top 20 and perhaps in near future NIST SP 800-82r3, once the update guidance is published) and or sector specific and or government specific regulations. 

Policy Governance & Reviews

Compliance controls are established to ensure compliance with policies and external regulations for accuracy and reliability of business processes; ultimately measuring the level of organizational performance.

Organizations must work actively to ensure and promote a culture of compliance with controls and objectives for policies to remain effective. Therefore, organizational leadership must provide sufficient funding and resources to do the following:

1. Conduct Awareness Training: provide adequate and frequent training programs (mandatory) with real work examples.

2. Set measurable performance goals: tied to personnel for regulatory & policy compliance. Clearly highlight consequences and provide anonymous channels for reporting violations.

3. Run an Audit Program: implement and execute a comprehensive compliance/audit program to track metrics and incidents and reporting results to senior management/board.

Recommendations

Remember to use principles of SMART and five W’s to review policies on annual basis or according to major business/technology changes.

Ensure alignment of the policies with business needs including industry and government regulatory requirements and proper dissemination to all parties/stakeholders with needed awareness training.

Key Takeaways

Policies are high-level directives that helps establish a plan. Once the draft OT/ICS cyber security policy is available, we are on our way to getting buy-in from leadership & all stakeholders. Open approval, policy aligned with organizational business needs, is to be published, enforced and disseminated to all required parties. Later, maintaining and updating the policy ensures its effective applicability on an on-going basis.

Next Steps

OT/ICS cyber security program and governance strategy starts with high-level directives via OT/ICS cyber security policy (with defined objectives & goals). After this from governance perspective you could think of establishing OT/ICS Cyber security Management Systems (OT CSMS) (to be covered in future posts outside of this series).

Feel free to reach out if you have similar needs.

This completes our Phase 1 - Evaluate | Assess | Discover | Define (Identify) as part of the OT/ICS cyber security lifecycle.

Stay tuned for the Phase 2 - Implement | Deploy (Predict, Protect/Prevent & Detect) - starting with Part 3 – OT / ICS Cyber security Architecture & Segmentation (between IT & OT networks) - coming soon….

It’s a great day to start securing:things! 

#ot #otsecurity #otcybersecurity #ics #icssecurity #icscybersecurity #policy #policydevelopment #otpolicy #icspolicy #operationaltechnology #isa #iec62443 #criticalinfrastructure #criticalinfrastructureprotection #criticalinformationinfrastructure #sgcii #securityawareness #securitygovernance #otstrategy #icscybersecurityprogram #otcybersecurityprogram #theotsecuritydozen #otsecuritydozen #securingthings