How to evaluate OT security program maturity
An OT security program can lead to better resource use, improved security operations, and tangible gains for the security posture of an OT operator. The benefits of running an OT security program include: At a fundamental level, an OT security program provides a strong foundation for an enterprise to adopt and scale up security measures. What is OT security program maturity? Based on various factors, an OT security program can be graded into the following tiers: Parameter Mature OT Security Program Evolutionary/Evolving OT Security Program Early stage OT Security Program Score Clear delineation of roles and responsibilities All personnel across functions are clear about their roles and responsibilities. All employees are in alignment with the assigned roles for managing security collectively. Every team has a employee responsible for security. This delineation is clear within the security operations teams. The larger organization does not subscribe to the program or subscribes in parts driven by a compliance mandate or any other factor that originates from outside the organization. Security teams are solely responsible for security. In the event of an incident, the security team is held responsible. Security measures are driven by a well-drafted security policy and a governance framework that is binding for all employees Yes. All teams and employees are governed through and are required to adhere to a security policy that may derive elements from standards such as IEC 62443 yet projects a distinct security mandate while incorporating cultural elements from the organization and its operational imperatives. The policy clearly articulates the security requirements at all operational and asset levels. The policy is generic in nature without paying any attention to the unique institutional character of the organization. Compliance to the policy is also partial and episodic. There is no policy in place Management and senior leadership are engaged in the security program and are active contributors Fully engaged and security-sensitive management Management is partially engaged and does not track the program Management is not connected with the program in any way Evolved incident response and disaster recovery mechanisms Followed in letter and spirit with clear protocols A mix of proactive and reactive measures are in place. Assets and data are at risk due to a potential for delay in intervention after an incident No measures in place Risk assessment and gap analysis audit frequency Once every 180 days Once every 365 days Infrequent or performed in an adhoc manner Institutional action on OT security audit findings Key audit findings are addressed within a pre-agreed time frame. OT security policy is modified to reflect major suggestions Audit findings are addressed but not in a time bound manner If an audit is done, then the findings are ignored or filed without any action being taken Program coverage 100 percent across assets, infrastructure, services, process, sites and networks Partial Less or none Security Operations coverage – asset visibility, vulnerability and patch management, secure remote access, SOC, hard segmentation of OT and IT networks Complete/100 percent Partial Less or none Improvement in key security operations metrics such as MTTD, MTTR, number of events closed, percentage of false positives over the last 11 months 30 percent 15 but less than 30 < 10 percent improvement Has the program been evaluated by a qualified third party? Yes No No How frequently OT security awareness programs run? Once a quarter Once every 9 months Only in October Are crown jewels and legacy systems residing behind a DMZ? Yes Yes No Strong anomaly and breach detection capabilities Yes Approaching strong but not yet there Weak or non-existent Countermeasures in place around access controls and insider activity Yes Partial measures in place No Cybersecurity risk in ICS environment is managed through strategic security planning and controls Yes Partial measures in place No OT security assurance is arrived through risk minimization and management of risk exposure Yes Partial measures in place No Lifecycle measures in place for each aspect mentioned above Yes Partial measures in place No ICS controls derived from last OT security audit cycle implemented Yes Partially No Secure design architecture and engineering compliance in place Yes Initial/rudimentary No Microsegmentation implemented Yes No No Calculating the score of your OT Security program To derive your OT security program effectiveness score, assign 40 points for each mature program parameter met, 20 for each evolving program parameter met and 5 or 0 (for each No) for every early stage program parameter met. For example for the parameter “Microsegmentation Implemented”, the following score will apply: Yes: 40 points No: 0No: 0 For the “Secure design architecture and engineering compliance in place” parameter you can follow the below points scheme: Yes: 40 pointsInitial/rudimentary: 20 pointsNo: 0 points If your total score is above 650 points, then you are running a mature OT security program. Congratulations. If your total score is above 350 but less than 650, then you are running an evolving security program. Let’s ramp up. If your total score is below 350 points, then you have a lot of catching up to do. No matter where your OT security program is on the above scale, Sectrio can help you run a model and relevant security program that is also high on RoI. Talk to our OT security program expert now through a free consultation to figure out your next steps. 62443, NIST CSF, and NIST SP 800, talk to a Sectrio OT governance expert. Book a consultation with our ICS security experts now. Contact Us Thinking of an ICS security training program for your employees? Talk to us for a custom package.
The post How to evaluate OT security program maturity appeared first on Security Boulevard.