Industrial/OT cybersecurity programs are more than technology. A full security program involves all of:
– People, with skills, experience, motivation, responsibilities, and authority,
– Processes, procedures and policies that people implement in order to bring about desired risk reductions, and
– Technology – hardware, software and connectivity that implements and enforces important policies, and empowers people to be more effective.
A full program includes all of the elements from the NIST framework as well, a framework that summarizes and reflects the principles of many other frameworks, such as the French ANSSI, IEC 62443 (still under construction) and ISO 27000. A full program in NIST terminology includes all of:
– Identify – people, processes, responsibilities, assets, risks, and other elements of security planning,
– Protect – addressing threats to identity and permissions management systems, perimeter protection, anti-malware systems and many others,
– Detect – monitoring security and searching for intrusions, because we can only optimize what we measure,
– Respond – practiced incident response teams, and
– Recover – backups, recovery plans, disaster recovery, and much more.
At Waterfall, I tend to focus on the technology part of the puzzle, to the extent that when I talk about Unidirectional Gateway technology, I am often asked, “Yes, but what about viruses coming in on USB sticks, or insider threats, or physical threats?” My answer is always, “Don’t get me wrong – even with hardware-enforced unidirectional gateways, you still need a security program. Nobody buys a gateway and puts their feet on the desk and says ‘there, I’m done.'”
To explore security programs in greater depth, Waterfall is pleased to host the Israel Electric Corporation (IEC) for a joint webinar. IEC is a pioneer of industrial cybersecurity and was one of the world’s first electric utilities to embrace cybersecurity as an essential part of their risk management platform. IEC was also one of the world’s first users of Unidirectional Security Gateways for protecting their industrial operations.
Yosi Shneck of IEC will join me on this webinar talking about the big picture – people, processes and technology in the pursuit of comprehensive industrial cybersecurity programs. Yosi will focus on some elements of security programs that thoroughly secured enterprises focus on and do differently.
A robust security posture is only possible if all of our bases are covered. Click here to join Yosi Shneck and me looking at security programs and what parts of these programs the most secure enterprises emphasize.
- The OT Security Revolution - March 13, 2023
- ISO 27001 – OT Confusion - January 4, 2023
- NERC CIP Tricky Bits – Active Directory Servers - January 3, 2023