Practical ICS security in 10 steps:

1. Introduce an ICS security program. Without a structured program, ICS security is a lost cause, meandering between monthly vulnerability advisories and threat FUD. The RIPE Framework comes with a ready-to-use program that identifies all ICS security tasks and accountable staff roles, and defines a governance process with details on how to implement it.

2. Set up a system inventory. You’ve heard it before but most likely never got beyond an incomplete Excel spreadsheet listing system names and IP addresses. The RIPE System Inventory Database Architecture Guideline contains a detailed description of how to set up a useful inventory for hardware and software in your process environment.

3. Create standardized network diagrams. If you are like most companies, you don’t have complete, accurate, easy-to-use, standardized diagrams of your process network. The RIPE Network Diagram Style Guide tells you how to produce meaningful diagrams that give you an intuitive understanding of your network and its potential vulnerabilities.

4. Create standardized data flow diagrams. If you don’t know the data flow between your software systems, you cannot identify critical dependencies and potential cyber side effects. The RIPE Data Flow Diagram Style Guide shows you how to produce cutting-edge diagrams that make your data flow and system dependencies transparent.

5. Introduce a cyber security training program. If your staff isn’t properly trained, ICS security will not likely go anywhere. However, simply preaching “awareness” won’t do the trick. Why figure out potentially important training subjects and appropriate training formats when it’s all readily accessible in the RIPE Training Curriculum?

6. Introduce cyber security policies and standard operating procedures. Chances are you planned to do just that a long time ago, but never found time to actually sit down and get it done. No need to spend weeks or months on writing policies – all what’s important is ready-to-use in the RIPE Policies and Standard Operating Procedures document.

7. Maintain a list of staff members and contractors. If you don’t keep track of the identities of people who access your most critical systems, you will never be able to communicate and enforce policy, or make sure that everybody receives the appropriate training. The RIPE Workforce Information Database Architecture Guideline shows how to implement and maintain such data.

8. Introduce guidelines for plant planning. You have heard it before: ICS security problems are often attributed to an absence of planning and governance that has “grown historically”. There is only one way to stop such “growth”: By enforcing consistent rules for system architectures and software configurations. The RIPE Plant Planning Guideline does just that.

9. Use procurement guidelines. If you don’t enforce cyber security standards on your ICS supply chain, you will always continue to address the problem after the fact. The RIPE System Procurement Guideline is a ready-to-use list of cyber security criteria that allows you to filter product offerings and signal your vendors which cyber security features you need.

10. Measure progress and do benchmarks using standardized fact-based metrics. If you cannot measure your ICS security performance, you will never be able to demonstrate that the whole effort is worth doing. The RIPE Metrics document contains fact-based metrics that allow you to objectively assess your performance and even compare it to the performance of peers if desired.

Get the whole RIPE package for attractive pricing and jump-start your ICS security now by inquiring at info(at)langner.com