As the importance of cybersecurity grows in the public eye, many organizations are considering leveling up their security postures with operational technology (OT) cybersecurity programs. There are countless experts and pieces of literature available to assist enterprises with building an IT cybersecurity program, but the same cannot be said for OT cybersecurity. OT includes a wide range of programmable systems and devices that interact with the physical environment (e.g., industrial control systems [ICSs], building automation systems, transportation systems, environmental monitoring systems). OT cybersecurity practitioners often struggle to ascertain the best foundation to develop a robust cybersecurity program. For instance, IT practitioners can rely on the US National Institute of Technology’s (NIST’s) Cybersecurity Framework (CSF) or one of many other standards. However, there are several principles on which an OT cybersecurity program can be based.
Unique OT Concerns
An OT environment evokes different concerns from those related to IT. For instance, the primary concern in OT is ensuring the availability, integrity, and confidentiality of data. Since OT focuses on controlling and monitoring physical processes and environments, availability plays a critical role. OT systems must be constantly available and able to respond in real time to events and alarms. Furthermore, any unauthorized modification (i.e., loss of data integrity) can defeat control systems and result in a catastrophe.
In addition, a long lifespan, obsolescence, health, safety and environmental issues are all driving decisions in OT that do not always play significant roles in IT. IT is focused on confidentiality, integrity, and availability—in that order. This is because IT strongly emphasizes user privacy, making confidentiality especially important.
A long lifespan, obsolescence, health, safety and environmental issues are all driving decisions in OT that do not always play significant roles in IT.
Building an OT Cybersecurity Program
The primary intent of a cybersecurity program is to provide an organized, consistent, and comprehensive approach to managing an enterprise’s cybersecurity risk. When deployed, a cybersecurity program should provide management with reasonable confidence in security levels. An OT cybersecurity program should address the mentioned OT concerns that can eventually create risk for the organization.
There are several security principles and standards available on which to base an effective cybersecurity program:
- The International Electrotechnical Commission’s (IEC’s) IEC 62443 family of standards, which consists of standards specifically written to secure ICSs
- NIST’s CSF, a framework specifically created to mitigate organizational risk in terms of cybersecurity
- The Cybersecurity Capability Maturity Model (C2M2), a maturity model specifically designed to guide OT-related cybersecurity capabilities and activities.
- The Purdue Enterprise Reference Architecture (PERA), functional architecture heavily used in the OT industry
- NIST Special Publication (SP) 800-82, an OT best practice
- ICS vendors who often publish white papers and other supporting resources that can be used to build a cybersecurity program
No one-size-fits-all method exists for creating and implementing an effective OT cybersecurity program. A combination of the options listed should be used to create an effective, purposeful OT cybersecurity program. A maturity model such as C2M2 is a good starting point. C2M2 is custom-made for OT and provides capabilities and activities that an OT cybersecurity program should support. Unlike other maturity models, C2M2 also provides a means to measure cybersecurity maturity capability, thus quantifying the program's maturity. This provides a path to constant improvement. Governance documents can be created that align with C2M2 cybersecurity domains1 to ensure that all capabilities and activities are addressed.
Further, a cybersecurity program built using C2M2 as a basis can be mapped to IEC 62443 cybersecurity controls to ensure that people, process, and technology (PPT) controls are implemented to further enrich the activities prescribed in the C2M2. This 2-way approach addresses the higher-level capability and lower-level technical controls. For example, in the C2M2 v2.1, within the Manage Third-Party Risk objective of the Third-Party Risk Management domain, activities are described related to identifying and implementing cybersecurity requirements. IEC 62443-2-4 provides guidance that, when implemented, enables C2M2 activities.
Conclusion
Attacks on OT infrastructure are increasing, and organizations must start addressing the need for OT cybersecurity to mitigate and counter the attacks. An organized, consistent, scalable and standards-driven approach should be used to develop an OT cybersecurity program. OT cybersecurity programs should be built using OT-specific standards, frameworks or maturity models. Ideally, practitioners should start with an OT-specific maturity model with measurement methodology. This will help organizations determine their current security postures and plan future improvements. Further, practitioners should apply OT-specific standards and controls to enable and implement activities in the maturity model.
Endnotes
1 US Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response, Cybersecurity Capability Maturity Model (C2M2), Version 2.1, USA, June 2022
Sri Mallur, CISM, CRISC
Is an ICS cybersecurity consultant overseeing cybersecurity governance and risk at a major oil and gas company. He has managed application (app) security, governance, and risk programs and teams in the automotive, insurance, chemical, health, technology, and entertainment sectors. He is currently working on using machine learning (ML) to solve scalability problems in OT cybersecurity.