0. Anything goes
No policies, no procedures, no checking. Typical for everyday contractor access in the majority of industrial facilities.
1. Passing the buck
Declaring others responsible for cyber security — end users, contractors etc. This is achieved by stressing “awareness” (assuming that the end user, if only being “aware” of cyber risk, would be in a position to take appropriate action). Typical example: Holding end users responsible for appropriately performing backups without ever giving them a procedure. Any provision that includes judgment on the end user’s part falls into this category.
2. Putting yourself in charge without a plan
Emphasizing that certain procedures and configurations are subject to permission by a central authority (such as the IT department, or physical security), but failing to provide any rules on how decisions are made — because there are none. This leads to ad-hoc decisions that cannot be questioned, consistently be performed by others, or even be audited. The major difference to level 1 is that now it’s no longer the end user who is held responsible, but consistency is missing as well.
3. Creating a fantasy world of wishful thinking
The organization has produced an impressive and consistent policy framework but never checks if it has anything to do with reality. Most of the time because it simply cannot be audited. For example, it is impossible to audit policies like “backups must be performed in a timely manner”, because “timely” could be anything between five minutes and five years.
4. The real deal
The organization uses a consistent policy framework that can be audited and is audited. For example, “timely” is specified as “every week”. Non-conformity is recorded and prompts action — not necessarily the decapitation of those who didn’t follow policy, but maybe the re-phrasing of policies that turned out to be not practical.
5. Sustainable governance
The organization is using a consistent policy framework that can be audited and is audited, and audits as well as user feedback is largely automated. Security automation is the key challenge for sustainable governance. Is that a technical problem? Absolutely not. Next time you pay your meter, order a pizza or cab over the Internet using an app, think about the absurdity that people in real production environments — including contractors — are expected to approach so much more important cyber security issues referring to a folder full of boring policy printouts, or try to locate the respective documents in a labyrinth of files. Rather than talking so much about the Industrial Internet of Things, we suggest to contemplate about the Industrial Intranet of OT Governance — if only because without solid governance, the Industrial Internet is doomed from the beginning.
Guess which level of governance we are implementing with the RIPE OT Security and Robustness Program.