Cybersecurity level

Before even starting to increase the cybersecurity level of the operational domain, it is important to know what the current level is. After all, how do you know if there is progress when the starting point is unknown.

When determining this starting point, it immediately becomes clear whether it is necessary to take additional measures. Because although it is often stated that the security level in the OT domain is low, you only know for sure after a measurement.

But how does a good measurement – or, as we call it: an Assessment – work? How do you know where to start? How do you know when you’re done?

One of the first things to determine is whether there is a need to meet specific standards. Think of the IEC 62443 (formerly ISA 99) or the NIST 800-82. And maybe other standards are relevant, depending on the industry you’re in. And even when it is not necessary to meet a known standard, it often provides good guidance and a defined start.

The IEC 62443 and NIST 800-82 just mentioned are probably the most well-known standards and we mainly work with them. Here, the IEC 62443 is somewhat abstract and the NIST 800-82 is very pragmatic. Because of the latter, we often advise, when an industrial company is just starting out with cybersecurity, to take the NIST standard as a starting point.

NIST 800-82

In the NIST 800-82, 18 different domains are defined (based on the NIST 800-53) on which the current cybersecurity level of an ‘Industrial Control System’ (ICS) can be measured. These domains are as follows:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Security Assessment and Authorization (CA)
  • Contingency Planning (CP)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Personnel Security (PS)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Program Management (PM)

All these domains are provided with specific questions that, based on the answers, can provide a good picture of the cybersecurity level of the industrial network.

However, it is impossible to deal with all these domains and associated questions in a Fasttrack Assessment. That is why a selection is made of a number of domains that are most important to your company at that moment.

The choice of domains depends on the specific Control System that is the subject of the Assessment. So that is why a choice is made first for the Control System and then the relevant cybersecurity domains.

Interviews

When it is clear which Control System will undergo the Assessment, and when it is clear which cybersecurity controls will be used, the next step is to determine the right stakeholders to participate in one or more interviews. An interview consists of a 1-on-1 conversation with an expert from your company in a specific area, related to the selected Control System and the selected cybersecurity controls.

To give an impression of the questions that are asked, here are a few sample questions:

  • Does the organization have an Awareness and Training Procedure?
  • Are practical exercises included in the security awareness training that simulate actual cyber-attacks?
  • Are employees provided with initial and periodic training in the employment and operation of physical security controls?
  • Are periodic reviews conducted of existing authorized physical and electronic access permissions to ensure they are current?
  • Is the concept of least privilege used to accomplish assigned tasks?
  • Does the system log both successful and unsuccessful logon attempts?

This is only intended to give an impression of the type of questions and depends on the chosen cybersecurity controls. The total number of questions in a Fasttrack Assessment is between 70 and 100.

Reporting

After the interviews have been completed, the obtained results are interpreted by SECUROTY consultants. Here, the answers to the questions are carefully analyzed and a score is awarded in line with the priority of the topic. In this way it is guaranteed that the final result fits well with your company.

Following the interpretation, a clear and well-arranged report is drawn up, indicating in clear terms what possible follow-up steps are, including priorities.

Results

The result of the above activities is having a clear insight into the current cybersecurity level of the OT domain. This provides a starting point for follow-up actions that can start with tackling the small and simple cases and work towards the large and complex cases, with the ultimate goal of creating a solid, cyber-secure industrial network.

Assessments

Would you like to know more about our Assessments and request extensive information immediately? You can do that here.