How to evaluate OT security program maturity
2024-10-23 21:21:1 Author: securityboulevard.com(查看原文) 阅读量:1 收藏

An OT security program can lead to better resource use, improved security operations, and tangible gains for the security posture of an OT operator.

The benefits of running an OT security program include:

  • Improved visibility into operations and asset behaviors
  • Enhanced ability to improve security posture through a feedback loop
  • Addition of newer security measures becomes easier
  • Defense-in-depth with zones for deploying a layered security approach becomes easier
  • Enables faster adoption of standards such as IEC 62443, NIST CSF, NERC CIP, NIST 800 SP, NIS2 and more
  • Allows CISOs to scale up security measures when required
  • Improves incident response and cyber resilience
  • Enables better reporting and compliance with regulatory norms

At a fundamental level, an OT security program provides a strong foundation for an enterprise to adopt and scale up security measures.

What is OT security program maturity?

Based on various factors, an OT security program can be graded into the following tiers:

Parameter   Mature OT Security Program Evolutionary/Evolving OT Security Program Early stage OT Security Program Score
Clear delineation of roles and responsibilities All personnel across functions are clear about their roles and responsibilities. All employees are in alignment with the assigned roles for managing security collectively. Every team has a employee responsible for security. This delineation is clear within the security operations teams. The larger organization does not subscribe to the program or subscribes in parts driven by a compliance mandate or any other factor that originates from outside the organization. Security teams are solely responsible for security. In the event of an incident, the security team is held responsible.  
Security measures are driven by a well-drafted security policy and a governance framework that is binding for all employees Yes. All teams and employees are governed through and are required to adhere to a security policy that may derive elements from standards such as IEC 62443 yet projects a distinct security mandate while incorporating cultural elements from the organization and its operational imperatives.  The policy clearly articulates the security requirements at all operational and asset levels. The policy is generic in nature without paying any attention to the unique institutional character of the organization. Compliance to the policy is also partial and episodic. There is no policy in place  
Management and senior leadership are engaged in the security program and are active contributors  Fully engaged and security-sensitive management Management is partially engaged and does not track the program Management is not connected with the program in any way  
Evolved incident response and disaster recovery mechanisms Followed in letter and spirit with clear protocols A mix of proactive and reactive measures are in place. Assets and data are at risk due to a potential for delay in intervention after an incident No measures in place  
Risk assessment and gap analysis audit frequency Once every 180 days Once every 365 days Infrequent or performed in an adhoc manner  
Institutional action on OT security audit findings Key audit findings are addressed within a pre-agreed time frame. OT security policy is modified to reflect major suggestions Audit findings are addressed but not in a time bound manner If an audit is done, then the findings are ignored or filed without any action being taken  
Program coverage 100 percent across assets, infrastructure, services, process, sites and networks Partial Less or none  
Security Operations coverage – asset visibility, vulnerability and patch management, secure remote access, SOC, hard segmentation of OT and IT networks Complete/100 percent Partial Less or none  
Improvement in key security operations metrics such as MTTD, MTTR, number of events closed, percentage of false positives  over the last 11 months 30 percent 15 but less than 30 < 10 percent improvement  
Has the program been evaluated by a qualified third party? Yes No No  
How frequently OT security awareness programs run? Once a quarter Once every 9 months Only in October  
Are crown jewels and legacy systems residing behind a DMZ? Yes Yes No  
Strong anomaly and breach detection capabilities Yes Approaching strong but not yet there Weak or non-existent  
Countermeasures in place around access controls and insider activity Yes Partial measures in place No  
Cybersecurity risk in ICS environment is managed through strategic security planning and controls Yes Partial measures in place No  
OT security assurance is arrived through risk minimization and management of risk exposure Yes Partial measures in place No  
Lifecycle measures in place for each aspect mentioned above Yes Partial measures in place No  
ICS controls derived from last OT security audit cycle implemented Yes Partially No  
Secure design architecture and engineering compliance in place Yes Initial/rudimentary No  
Microsegmentation implemented Yes No No  

Calculating the score of your OT Security program

To derive your OT security program effectiveness score, assign 40 points for each mature program parameter met, 20 for each evolving program parameter met and 5 or 0 (for each No) for every early stage program parameter met.

For example for the parameter “Microsegmentation Implemented”, the following score will apply:

AWS

AWS Hub

Yes: 40 points   
No: 0
No: 0

For the “Secure design architecture and engineering compliance in place” parameter you can follow the below points scheme:

Yes: 40 points
Initial/rudimentary: 20 points
No: 0 points

If your total score is above 650 points, then you are running a mature OT security program. Congratulations.

If your total score is above 350 but less than 650, then you are running an evolving security program. Let’s ramp up.

If your total score is below 350 points, then you have a lot of catching up to do.

No matter where your OT security program is on the above scale, Sectrio can help you run a model and relevant security program that is also high on RoI.

Talk to our OT security program expert now through a free consultation to figure out your next steps.

Reach out to us now.

Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!

62443, NIST CSF, and NIST SP 800, talk to a Sectrio OT governance expert. Book a consultation with our ICS security experts now. Contact Us

Sectrio, the premier IoT and OT security company has launched the…

An OT security program can lead to better resource use, improved…

As per the Cybersecurity and Infrastructure Security Agency (CISA), threat actors…

At the heart of an OT security strategy lies the ability…

The level of asset risks that OT operators are exposed to…

Since June 1st 2024, Chinese frontline threat actor APT 41 has…

IEC 62443 is a gold standard when it comes to cybersecuring…

Thinking of an ICS security training program for your employees? Talk to us for a custom package.   

*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Prayukth K V. Read the original post at: https://sectrio.com/blog/how-to-evaluate-ot-security-program-maturity/


文章来源: https://securityboulevard.com/2024/10/how-to-evaluate-ot-security-program-maturity/
如有侵权请联系:admin#unsafe.sh