An OT security program can lead to better resource use, improved security operations, and tangible gains for the security posture of an OT operator.
The benefits of running an OT security program include:
- Improved visibility into operations and asset behaviors
- Enhanced ability to improve security posture through a feedback loop
- Addition of newer security measures becomes easier
- Defense-in-depth with zones for deploying a layered security approach becomes easier
- Enables faster adoption of standards such as IEC 62443, NIST CSF, NERC CIP, NIST 800 SP, NIS2 and more
- Allows CISOs to scale up security measures when required
- Improves incident response and cyber resilience
- Enables better reporting and compliance with regulatory norms
At a fundamental level, an OT security program provides a strong foundation for an enterprise to adopt and scale up security measures.
What is OT security program maturity?
Based on various factors, an OT security program can be graded into the following tiers:
| Parameter | Mature OT Security Program | Evolutionary/Evolving OT Security Program | Early stage OT Security Program | Score |
| Clear delineation of roles and responsibilities | All personnel across functions are clear about their roles and responsibilities. All employees are in alignment with the assigned roles for managing security collectively. Every team has a employee responsible for security. | This delineation is clear within the security operations teams. The larger organization does not subscribe to the program or subscribes in parts driven by a compliance mandate or any other factor that originates from outside the organization. | Security teams are solely responsible for security. In the event of an incident, the security team is held responsible. | |
| Security measures are driven by a well-drafted security policy and a governance framework that is binding for all employees | Yes. All teams and employees are governed through and are required to adhere to a security policy that may derive elements from standards such as IEC 62443 yet projects a distinct security mandate while incorporating cultural elements from the organization and its operational imperatives. The policy clearly articulates the security requirements at all operational and asset levels. | The policy is generic in nature without paying any attention to the unique institutional character of the organization. Compliance to the policy is also partial and episodic. | There is no policy in place | |
| Management and senior leadership are engaged in the security program and are active contributors | Fully engaged and security-sensitive management | Management is partially engaged and does not track the program | Management is not connected with the program in any way | |
| Evolved incident response and disaster recovery mechanisms | Followed in letter and spirit with clear protocols | A mix of proactive and reactive measures are in place. Assets and data are at risk due to a potential for delay in intervention after an incident | No measures in place | |
| Risk assessment and gap analysis audit frequency | Once every 180 days | Once every 365 days | Infrequent or performed in an adhoc manner | |
| Institutional action on OT security audit findings | Key audit findings are addressed within a pre-agreed time frame. OT security policy is modified to reflect major suggestions | Audit findings are addressed but not in a time bound manner | If an audit is done, then the findings are ignored or filed without any action being taken | |
| Program coverage | 100 percent across assets, infrastructure, services, process, sites and networks | Partial | Less or none | |
| Security Operations coverage – asset visibility, vulnerability and patch management, secure remote access, SOC, hard segmentation of OT and IT networks | Complete/100 percent | Partial | Less or none | |
| Improvement in key security operations metrics such as MTTD, MTTR, number of events closed, percentage of false positives over the last 11 months | 30 percent | 15 but less than 30 | < 10 percent improvement | |
| Has the program been evaluated by a qualified third party? | Yes | No | No | |
| How frequently OT security awareness programs run? | Once a quarter | Once every 9 months | Only in October | |
| Are crown jewels and legacy systems residing behind a DMZ? | Yes | Yes | No | |
| Strong anomaly and breach detection capabilities | Yes | Approaching strong but not yet there | Weak or non-existent | |
| Countermeasures in place around access controls and insider activity | Yes | Partial measures in place | No | |
| Cybersecurity risk in ICS environment is managed through strategic security planning and controls | Yes | Partial measures in place | No | |
| OT security assurance is arrived through risk minimization and management of risk exposure | Yes | Partial measures in place | No | |
| Lifecycle measures in place for each aspect mentioned above | Yes | Partial measures in place | No | |
| ICS controls derived from last OT security audit cycle implemented | Yes | Partially | No | |
| Secure design architecture and engineering compliance in place | Yes | Initial/rudimentary | No | |
| Microsegmentation implemented | Yes | No | No |
Calculating the score of your OT Security program
To derive your OT security program effectiveness score, assign 40 points for each mature program parameter met, 20 for each evolving program parameter met and 5 or 0 (for each No) for every early stage program parameter met.
For example for the parameter “Microsegmentation Implemented”, the following score will apply:
Yes: 40 points
No: 0
No: 0
For the “Secure design architecture and engineering compliance in place” parameter you can follow the below points scheme:
Yes: 40 points
Initial/rudimentary: 20 points
No: 0 points
If your total score is above 650 points, then you are running a mature OT security program. Congratulations.
If your total score is above 350 but less than 650, then you are running an evolving security program. Let’s ramp up.
If your total score is below 350 points, then you have a lot of catching up to do.
No matter where your OT security program is on the above scale, Sectrio can help you run a model and relevant security program that is also high on RoI.
Talk to our OT security program expert now through a free consultation to figure out your next steps.
Reach out to us now.
Conduct an IEC 62443/NIST-CSF based risk assessment and gap analysis now!
62443, NIST CSF, and NIST SP 800, talk to a Sectrio OT governance expert. Book a consultation with our ICS security experts now. Contact Us
Sectrio, the premier IoT and OT security company has launched the…
An OT security program can lead to better resource use, improved…
As per the Cybersecurity and Infrastructure Security Agency (CISA), threat actors…
At the heart of an OT security strategy lies the ability…
The level of asset risks that OT operators are exposed to…
Since June 1st 2024, Chinese frontline threat actor APT 41 has…
IEC 62443 is a gold standard when it comes to cybersecuring…
Thinking of an ICS security training program for your employees? Talk to us for a custom package.
*** This is a Security Bloggers Network syndicated blog from Sectrio authored by Prayukth K V. Read the original post at: https://sectrio.com/blog/how-to-evaluate-ot-security-program-maturity/