We are in the 4th Industrial Revolution and many organizations are responding to this to, for example, increase the efficiency of processes, create new revenue models or do more with the data from the industrial process. Quite often, one of the requirements for this is to realize data exchange between the OT domain and the IT domain. And while this poses a cybersecurity risk, it shouldn’t be a problem. However, it is important to map out the current status of the industrial network. Not only with regard to cybersecurity, but also with regard to processes and ‘awareness’ of personnel.
SECUROTY’s services are based on consultancy in which advice is given on cybersecurity in the OT domain in the aforementioned areas. With the help of well-thought-out assessments, combined with the knowledge of ‘Subject Matter Experts’ (SMEs), a clear insight is obtained into, for example, the current cybersecurity level of specific control systems, based on ‘people, process, technology’.
How does an assessment work
There are different types of assessments. An overview of our assessments is given below. Each assessment is performed in a specific way, relevant to the type of assessment. Yet there are also many agreements with regard to the implementation.
Every assessment starts with conducting one or more interviews with the right people. In the case of cybersecurity, these are often Process Operators, Plant Managers, Security Officers, Project Leaders, IT managers, etc. Also, someone is often involved who is responsible for complying with specific regulations, such as a compliance officer who must ensure that conforms to a standard such as IEC 62443.
The purpose of the interviews is to gain insight into the current situation, but also to get an idea of the desired situation, i.e. which security level is aspired to. This does not only look at the technology, but also at processes and people.
Some assessments are based entirely on interviews and analysis of, for example, network drawings, user manuals, process descriptions, and so on. Other assessments may require a monitoring device – a ‘probe‘ – to be placed in the network. For example, for creating an asset inventory which is almost impossible to do manually. Such a probe is completely passive and has no influence on the operational process.
After the interviews, and after any relevant data has been collected with the probe, experts will analyze the information obtained. This involves looking at the current state of affairs and performing a gap analysis to assess what needs to be done to achieve the desired situation. Hereby pragmatic advice is given that can be put to work immediately.