Carnac the Magnificent was a character played by Johnny Carson on late night television. He had mystic powers that allowed him to know the answers to questions he had not seen. He would proclaim the answer and then open the envelope, wherein he would find the question. Cyber security assessments seem to be like this. In other words, with some statistical shoring, Carnac the Magnificent could probably divine the current cyber security posture of your operational technology (OT) environment. He could choose from the following list and be right more often than the local fortune teller:
- Your asset inventory is subpar
- Your network diagrams are incomplete and/or outdated
- Your firewalls are misconfigured
- Your network is not properly architected
- You have access control issues
- There is unmonitored Web browsing from the control network
- Etc., etc., etc.
An assessment does indeed provide a “to-do” list and may provide some leverage in the next budget cycle. You may even be required by regulation to have a third-party perform an assessment for you. In any case, don’t lose sight of the true objective. The true objective is to determine the root cause of these symptoms and deal with the disease directly rather than with symptoms after the fact.
In many instances, the major root cause is the lack of a dedicated OT security program. Obviously, you can (and many do) just point to a document on the shelf and say you have a program. However, an effective program is backed by adequate organizational resources (dedicated budget, empowerment, accountability) and a robust governance process with comprehensive reporting. This is what is typically found on the IT side of the equation, but OT remains the proverbial “blind spot.”
There are different levels of rigor to OT cyber security assessments and you may not be ready (i.e., your management may not be ready) for a full-blown in depth walk-down assessment. You may have to start with a smaller scoped effort. To help get you started, The Langner Group has developed a self-assessment tool based on our RIPE framework which is being used in sectors from nuclear to water. The tool is call RIPE Self-Assessment Tool (RSAT) and there is no cost or obligation to use it.
Tool link: RIPE Self-Assessment Tool (RSAT)
So, by all means, get that assessment done, but take a larger view of the findings. Like Carnac the Magnificent, you may already know the answer, but look beyond the answers to find the question: what is the root cause of all these symptoms? As a person responsible for the health of your company’s revenue generating processes, you owe it to yourself and management to make the case to cure the disease.