Standards and Practices define how to establish a cybersecurity management system (CSMS), but what is required for ongoing operation and maintenance?

Terms of use

Terms of Use

The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.

All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.

Disclaimer

The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.

For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.

New

See all

No notification found.

Standards and Practices define how to establish a cybersecurity management system (CSMS), but what is required for ongoing operation and maintenance?

Ganapathiraman Guruswamy

@ramanarcweb

January 20, 2017

Data Privacy

460

Listen to this article

Asset owners and end users have access to many standards, guidelines, and practices related to industrial systems cybersecurity. Some of these are sector- or industry-specific, while are others are more broadly focused. Perhaps the biggest challenge is how to choose the most appropriate source for guidance. However, in almost every case, the emphasis is on how to design and establish an effective industrial cybersecurity program. While this is certainly important, it is equally important to have a plan for how to manage such a program once it is in place. Experience in subject areas such as maintenance and safety has shown us that creating a program is only the first challenge. Unless there is a commitment and sustained effort to manage and support the program, its effectiveness will inevitably decline.

You cannot address the cybersecurity of industrial systems as a “project,” since the effort must continue indefinitely as the nature of the risk evolves. While the consequence component of risk may be relatively constant, the threats and vulnerabilities can change rapidly as technology changes. The asset owner must be able to measure program effectiveness on an ongoing basis to determine if and when it may be appropriate to shift emphasis to new areas.

The ISA and IEC 62443 standards and other sources of guidance refer to the use of maturity levels as part of this exercise. The exact nature of these levels may vary, but the concept is well accepted. ARC has published research on a proposed maturity model and similar models appear in various standards.

class=image-1

ARC Cybersecurity Maturity Model

Concepts are certainly useful, but moving from a concept to execution can be a challenge. Some of the many questions that must be addressed include:

How and where should we begin to implement a model and the processes necessary to apply it?
How can we measure effectiveness and decide where to apply limited resources to making improvements?
What is the best framework for comparing our performance to that of our peers?
When should we consider new and developing technologies for inclusion into our program?
How can we translate opportunities into a comprehensive investment plan?

Case studies can provide an effective way to address these and related questions, but this requires that asset owners share their experiences, both good and bad. Many are reluctant to share such information, fearing that doing so may expose themselves to unwelcome scrutiny. This concern can be addressed by creating anonymous or generic case studies that describe the situation and lessons learned, without revealing too many details or identifying the specific companies. User groups and industry associations can and should take up this challenge.

The ISA99 committee has recently formed a new work group tasked with creating a set of case studies that will demonstrate the application of the fundamental concepts in the 62443 standards, including maturity models.

The upcoming 21^st Annual ARC Industry Forum in Orlando will feature a dedicated workshop on this subject where panelists will share their experiences and observations on how to sustain and manage an existing industrial cybersecurity program. Workshop attendees will be encouraged to share their experiences, and ask questions of these experts.

“Reprinted with permission, original blog was posted here. You may also visit here for more such insights on the digital transformation of industry.

About ARC Advisory Group (www.arcweb.com): Founded in 1986, ARC Advisory Group is a Boston based leading technology research and advisory firm for industry and infrastructure.

For further information or to provide feedback on this article, please contact akanagali@arcweb.com

About the Author:

Eric Cosman

Eric provides advisory and consulting services to ARC analysts and clients in all aspects of operations and project management.

Eric has over 35 years of experience in the development, delivery, management, and support of operations information technology solutions in the process industries. During his career his assignments and responsibilities have included process automation systems development, communications network design, functional and technical architecture design, and technology lifecycle management. He recently retired as an Operations IT Consulting Engineer with the Dow Chemical Company.

Disclaimer

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.

Ganapathiraman Guruswamy

Impact of AI and ML on Software Pro...

calsoftinc

AI

18 Apr 2024

Top 9 Security & Risk Trends Fo...

GRAMAX Cybersec

Cyber Security ..

17 Apr 2024