Topics In Demand
Notification
New

No notification found.

Blog
Standards and Practices define how to establish a cybersecurity management system (CSMS), but what is required for ongoing operation and maintenance?

January 20, 2017

461

0

Asset owners and end users have access to many standards, guidelines, and practices related to industrial systems cybersecurity. Some of these are sector- or industry-specific, while are others are more broadly focused. Perhaps the biggest challenge is how to choose the most appropriate source for guidance. However, in almost every case, the emphasis is on how to design and establish an effective industrial cybersecurity program. While this is certainly important, it is equally important to have a plan for how to manage such a program once it is in place. Experience in subject areas such as maintenance and safety has shown us that creating a program is only the first challenge. Unless there is a commitment and sustained effort to manage and support the program, its effectiveness will inevitably decline.

You cannot address the cybersecurity of industrial systems as a “project,” since the effort must continue indefinitely as the nature of the risk evolves. While the consequence component of risk may be relatively constant, the threats and vulnerabilities can change rapidly as technology changes. The asset owner must be able to measure program effectiveness on an ongoing basis to determine if and when it may be appropriate to shift emphasis to new areas.

The ISA and IEC 62443 standards and other sources of guidance refer to the use of maturity levels as part of this exercise. The exact nature of these levels may vary, but the concept is well accepted. ARC has published research on a proposed maturity model and similar models appear in various standards.

class=image-1

ARC Cybersecurity Maturity Model

Concepts are certainly useful, but moving from a concept to execution can be a challenge. Some of the  many questions that must be addressed include:

  • How and where should we begin to implement a model and the processes necessary to apply it?
  • How can we measure effectiveness and decide where to apply limited resources to making improvements?
  • What is the best framework for comparing our performance to that of our peers?
  • When should we consider new and developing technologies for inclusion into our program?
  • How can we translate opportunities into a comprehensive investment plan?

Case studies can provide an effective way to address these and related questions, but this requires that asset owners share their experiences, both good and bad. Many are reluctant to share such information, fearing that doing so may expose themselves to unwelcome scrutiny. This concern can be addressed by creating anonymous or generic case studies that describe the situation and lessons learned, without revealing too many details or identifying the specific companies. User groups and industry associations can and should take up this challenge.

The ISA99 committee has recently formed a new work group tasked with creating a set of case studies that will demonstrate the application of the fundamental concepts in the 62443 standards, including maturity models.

The upcoming 21st Annual ARC Industry Forum in Orlando will feature a dedicated workshop on this subject where panelists will share their experiences and observations on how to sustain and manage an existing industrial cybersecurity program. Workshop attendees will be encouraged to share their experiences, and ask questions of these experts.

“Reprinted with permission, original blog was posted here. You may also visit here for more such insights on the digital transformation of industry.

About ARC Advisory Group (www.arcweb.com): Founded in 1986, ARC Advisory Group is a Boston based leading technology research and advisory firm for industry and infrastructure.

For further information or to provide feedback on this article, please contact akanagali@arcweb.com

About the Author:

Eric Cosman

Eric provides advisory and consulting services to ARC analysts and clients in all aspects of operations and project management.

Eric has over 35 years of experience in the development, delivery, management, and support of operations information technology solutions in the process industries.  During his career his assignments and responsibilities have included process automation systems development, communications network design, functional and technical architecture design, and technology lifecycle management.  He recently retired as an Operations IT Consulting Engineer with the Dow Chemical Company.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


© Copyright nasscom. All Rights Reserved.