OT security experts agree that without systematic security policy and governance, an organization will never achieve sustainability in their efforts to continuously raise the security bar. Yet the sad reality is that for the vast majority of organizations that do invest in OT policy and governance programs, the exercise almost never lives up to expections. Here’s why that is the case, and what can be done to remedy the situation.
Policies as wishful thinking
You have seen this before: Cyber policies that contain well-meaning high-level provisions on what must be done, should be done, and must not be done. They also contain lots of buzzwords (risk, threat management, …) and vague statements. What you don’t see are details on the following:
– Who drives the efforts?
– Who implements the efforts, how, and when?
– When and how are results evaluated and reported?
In other words, details on execution and progress monitoring are often lacking. But without systematic action and audit, a policy is nothing but security theater.
That’s where a governance program comes in. Different from what you may think, a governance program is much more than a buerocratic exercise; it’s the one thing that drives execution and progress. The simple reason is because a governance program must be specific on resources and implementation timescale. It cannot remain vague. Let’s look at three major aspects of a governance program and how they move the needle.
Success Factor One: Resources and Accountability
In real life, nothing in an organization gets done without resources, accountability, and planning. Hence, by far the most honest indicator of how serious an organization is about OT security is a simple question about headcount: How many people in the organization work full time on OT security? If the answer is “zero”, as it often is, one shouldn’t expect impressive performance. In our 20 years of OT security consulting, this used to be the most reliable predictor of what to expect in an assessment.
Why full time? Let’s imagine your OT security workforce has other duties on the side, maybe engineering or maintenance jobs. The big difference to these other duties is that they are always somehow tied to no-nonsense deadlines. This is usually not the case when it comes to OT security. Can’t that patch rollout wait for another month? What exactly would be the downside if it is pushed back? The reality is, people not working full time on OT security will sooner or later adopt a more anecdotal approach in addressing the topic. There will always be something apparently more pressing to do.
Maybe the most important — and unexpected? — insight you can take away from this article is this: Successful OT security programs are not driven by high-flying security goals, they are driven by the calendar. You need appropriate manpower to make this happen. And “appropriate” implies full-time engineers.
In case you are wondering what an OT security team could possibly have to do all day long, throughout the year, chances are that OT security at your organization doesn’t actually happen. Think about assisting engineers in planning configuration changes according to accepted standard OT architectures. Or assisting project managers to properly apply OT security procurement criteria in their RFI/RFP/RFQ. Or assisting maintenance staff in properly using a change management workflow. Or assisting IT in conducting security incident management in OT. Or in conducting training sessions. Or in executing audits and producing reports for management.
The bottom line is, the OT security team is busy as any other organizational entity, and most of the time it supports other users in arriving at better OT security, step by step. For this reason we also call this team the OT Support Center.
Success Factor Two: Technical Capability
No systematic approach to cyber security is possible if you don’t have a useful asset inventory. You can’t even talk about cyber risk in a meaningful manner if you don’t. Forget about “assessments” where the assessor (and the client alike) is completely unaware of the OT infrastructure that is the subject of the whole exercise. If you only have a bunch of outdated Excel spreadsheets with hostnames, IP addresses and maybe an operating system version, any further discussion of OT security and risk is little more than security theater.
Poor inventory performance used to be justified by lack of appropriate technology for automation. Certainly, producing an asset inventory for, let’s say, a couple thousand PLCs, RTUs, computers, and network gear by hand is a no-go. But this is 2019, and tools which do the job just fine are readily available. Check out our OT-BASE Asset Management Platform to get the idea.
If you are still not convinced about the necessity of an asset inventory, consider a use case such as vulnerability management. At the time of writing, there are more than 120,000 known vulnerabilities. Which ones affect your installed base? What about the software and firmware versions that you have installed — are they vulnerable, or is the problem already fixed by a security patch? All these questions can only be answered by using automation.
Success Factor Three: Detailed Templates and Playbooks
How exactly do policies need to be written? It’s not difficult to find lots of guidance on the topic on the Internet, or in training classes. But end the end of the day you find yourself sitting in front of an empty Word document, trying to put all the good advice into writing that can actually be put in front of your coworkers.
For some, that Word document will never be filled with more than two or three paragraphs of draft text. After a sufficient level of frustration, it is then time to call for help. You will find help readily available in the form of consultants who are eager to write custom policy documents for you. We did exactly that in projects with clients for roughly twenty years.
But then we discontinued the offering because we had realized that we were ending up with similar, if not identical language for every single client. No matter which industry, no matter which company size. That was the basic insight which prompted us to sell a full OT governance framework as a product, rather than as a project.
And this is what the Simple Cyber Governance Program is all about. It contains all the specific language that you need to launch a full-scale governance program. It contains technical reference architecture details, procurement criteria, security incident management workflows, role-based policy language, a management program template, and more. Best of all, it has passed the reality checks by clients in multiple industries, from manufacturing to nuclear energy. Its practicality is proven.
Using the Simple Cyber Governance Program is — simple. After having purchased a license, which is considerably cheaper than the average consulting project, you simply delete provisions in the program that may be too restrictive for your specific situation. It is also you who decides which modules to introduce when. As an example, you may want to leave more demanding activities such as vulnerability and incident management to a later time when you have established a mature OT security team.
Conclusion
A policy framework with well-meaning principles and goals achieves nothing on its own. It needs to be put to action. This requires reasonable resources, a technical baseline capability in the form of an OT asset management system, and detailed guidance written in a simple language that is practical, and can be audited for compliance.
If you are interested to see what a ready-made OT governance program looks like, check out our Simple Cyber Governance Program that we have just released in its fifth iteration. You can download the full program document set for evaluation before buying a license.