Professional Documents
Culture Documents
I N CO L L A B O R AT I O N W I T H F RO S T & S U L L I VA N
applied-risk.com
The contents of these pages are copyright © Frost & Sullivan. All rights reserved. frost.com
A Blueprint for Building Sustainable Operational Technology Cyber Security Programmes 2
CONTENTS
3 Executive Summary
19 Chapter 4: Business-as-Usual
and Sustainability
5 Chapter 1: Establishing an OT
Cyber Security Programme
23 Conclusion: The Importance of
OT Security to Organisational
Security Resilience
Executive Summary
Many organisations that rely on Operational Technology (OT) need to elevate their
cyber security to a higher maturity level. A noticeable increase in threats that target
OT assets places a wide variety of companies, including those operating critical
infrastructure, at risk of process upset, production shutdowns, safety incidents,
or other service disruptions. These disruptions can negatively impact mission-
critical supply chain operations and the public. Ongoing geopolitical tensions, the
rise of criminal ransomware organisations, and the supply chain vulnerabilities that
critical infrastructure organisations face all increase the overall threat landscape.
New regulatory compliance standards are appearing, and ongoing trends towards
digitalisation and Industry 4.0 are driving integration between information technology
(IT) and OT domains, increasing the overall OT attack surface. That’s why many
companies with industrial operations are initiating OT security programmes.
Frost & Sullivan research has found that, among organisations operating critical
infrastructure, 37% of decision-makers voiced concerns over a lack of expertise in
accomplishing a sustainable and well-maintained OT security programme.
This white paper has been produced by Frost & Sullivan in collaboration with
industrial cyber security experts at Applied Risk, a DNV company. It provides
a blueprint for the steps companies should take when planning, designing and
implementing an operational technology (OT) cyber security programme.
The goal of this phase is to find out what constitutes OT security risks, threats, and
inherent vulnerabilities. Organisations must also understand what ideal OT security
programme goals are and how they can tangibly measure success within the programme
framework. One of the first questions to answer is what is driving the organisational
need to develop an OT security programme. Other important questions include:
• What are the safety concerns for the organisation and/or the public?
• What regulatory standards must the organisation adhere to for safety and overall security?
Securing committed
support and financial
backing from senior
management
After identifying the members of the security committee, the organisation will be
able to set specific programme parameters as follows:
The programme’s
critical success factors
and key performance
indicators (KPIs)
During the programme’s planning phases, the budgetary process may involve
asking stakeholders to subsidise specific portions of the programme rather than the
total system cost. It also involves identifying the varied roles and responsibilities of
each stakeholder.
In addition to determining who will bear the cost and setting the organisational
KPIs for the OT security programme to achieve, the security committee will need to
assign specific duties to its members. This involves delegating specific champions
for the OT security programme during the design, implementation, and maintenance
phases who can ensure that the programme still fits with the organisation’s goals.
Finally, the organisation must identify which committee members can liaise
between engineering teams, programme managers, technical leads, and
executive leadership to maintain ongoing communication about the OT security
programme progress. The handover phase, from initial project launch to
business-as-usual within the organisation, is a critical transition phase that
should conclude the following:
The creation of
The identification
and adherence
of day-to-day
to ongoing risk
operations
assessment
managers
schedules
The tracking of OT
security programme
progress against
organisational KPIs
Support within upper management will be important to ensure that the OT security
programme remains relevant for all stakeholders and that the handover is effective.
Without an organised handover, the OT security programme could become a costly,
one-off security planning session that negates all potential progress and planned
risk reduction activities during the next few years.
• Where its vulnerabilities are and how outsiders could exploit them
• How best to mitigate any damage if these vulnerabilities are left open
the public, and any partners that rely on the business for specific services. Once
the organisation can view its risks from these top-level perspectives, these
assessments become a crucial linchpin for future business planning, operational
improvement strategies, and the OT security programme’s long-term success.
The security committee members will need to create a company OT security framework
that covers the specific security controls, compliance policies, and programme frameworks
that external regulatory bodies stipulate. With external regulatory frameworks in mind
and consideration of international standards like NIST, ISO/IEC 62443, and ISO2700X,
the committee can craft specific policies to mandate practices, roles, and responsibilities
in OT security solution operations and supplement this framework with procedures and
controls to achieve specific organisational goals. This security framework will set specific
organisational procedures regarding the design, installation, integration, and maintenance
of the OT Security programme throughout system’s lifecycle.
For many organisations, industry-specific laws and regulations are additional drivers
behind establishing and implementing an OT programme. To avoid costly fines
for non-compliance or even the loss of their permit to operate, organisations must
examine the laws and regulations that govern their respective industries. They can
then determine what their OT security apparatus will require from a regulatory
perspective and combine this information with what the organisation needs to do
to reduce its risk profile. Once the organisation knows the main security solutions
or capabilities that it must utilise, reminding OT programme stakeholders why the
implementation of those solutions is necessary is important. Some examples include:
Knowing why these regulations exist can help stakeholders identify operational
risks they may not have considered.
After identifying and assessing regulatory and compliance statutes, organisations can
design the proper policies, procedures, and control frameworks to ensure long-term
compliance. While much of this step involves policy creation and implementation, it
also pushes the organisation to implement an assurance model that identifies and
appoints a specific role (individual or team) to monitor and assure leadership and
regulatory authorities that the organisation is meeting, evaluating, and reporting
company standards. A multi-layered defence strategy is the most fitting because the
first line of defence would be in the relevant business unit itself, the second in a central
OT cyber security centre of excellence, and the third could be an internal audit function
(or even an external party). Once the organisation has identified and appointed
these critical stakeholders and they understand which essential tasks to conduct, the
organisation can move into the next stage of OT security programme planning.
In addition, security teams need solutions that log and monitor all OT network activities;
this serves a regulatory reporting function, augments the security team’s visibility in the
environment, protects assets, and ensures adherence to security policies and regulations.
The next set of controls fortifies the overall OT system defences. First, teams should
ensure that a cohesive identity and access management system, both around the
physical access to the organisation’s facilities and for digital access to OT systems, is in
place and updated to reflect roles, responsibilities, and employee or contractor rosters.
This limits potential unauthorised access via lost or stolen credentials and plugs potential
vulnerabilities left open because of human error or via a social-engineering attack.
Effective and
System
timely patch
hardening
management
Change
management
controls
However OT security teams must be risk adverse and run any change through a risk
assessment and MoC process to ensure that there will be no negative impact on the
operational process.
As OT security teams can never prevent every breach or security incident from
occurring, creating clear incident–response policies and workstreams is vital. The
development of comprehensive workstreams within incident response plans and
playbooks, in addition to business continuity plans, will be the important planning
stages. However, training the organisation how to enact these plans is crucial.
This will ensure that all relevant stakeholders (including third parties) know the
exact policies, actions, and duties to perform in the event of a system breach to
limit potential damage. In some cases, a technology solution can automate these
incident–response capabilities.
System or component backup and restore is the last essential piece of these
incident–response and business continuity plans. With these controls in place,
organisations can significantly limit potential downtime from an incident and
maintain critical activities, even in the face of a successful breach or attack.
However, it is essential to test backup capabilities to ensure they can successfully
recover the system. Having identified and prioritised these main security controls
according to their own risk assessments, organisations can move into the decision-
making phase for implementation strategies and consider criteria for future controls.
This assessment should consider future solutions. For example, stakeholders need
to consider both how a new OT solution impacts overall security resilience and
how evergreen solutions will stay throughout the system’s lifecycle. This includes
ensuring new security controls do not hinder future strategies and considering
whether these practices or systems will mitigate future business risks, even as the
organisation’s goals and strategies evolve. With respect to the business risk profile,
stakeholders should consider the following questions:
• How does this technology component maturity compare with the organisation’s
risk appetite?
Once the risk and consequence assessments are complete, all stakeholders must
decide whether to initiate, delay, or reject the final purchase. This discussion must
consider which team within the OT security programme controls the final purchase
decision, who leads installation and implementation, how the management of
governance will occur, and how the mitigation of risk will succeed.
2 The management team should break the master schedule down into
phases, with related timetables for purchase and integration.
The master timetable will reflect this and include the budgetary and investment
schedule necessary to complete the plans.
During the implementation of the selected controls, it is important to keep the risk
profile updated based on the changing threat landscape and the effectiveness
of the control implementation. Periodic risk assessments will reflect the updated
control implementation state and provide the opportunity to measure risk mitigation
because control implementation will lower the probability of an incident happening
or its impact. Having the right tools and processes in place with a trained workforce
will help the organisation to raise its security maturity from reactive to proactive and
move towards optimising security maturity in the long term.
Making ongoing
Communicating
improvements to
security policies
process safeguards
and content
to ensure the
while enforcing
expected outcome of
these practices
security operations
Continually testing OT
Creating a
systems via penetration
fit-for-purpose
testing or red team
assurance cycle
Conducting continuous exercises to stay
throughout the
monitoring of security aligned with an evolving
organisation
controls, audits, and threat landscape
incident drills
Operational resilience spans the full technology stack, including IT, OT, the cloud,
telecommunications, and other connected systems in the organisation. Embedding these
cyber security controls in long-term operation and maintenance practices and having
a workforce that embraces this mandate will ensure that these OT security activities
are sustained smoothly without threatening the long-term viability of the organisation’s
business activities. These long-term controls include the following solutions:
Security
policy
Penetration Communication
testing and and policy
red-team
enforcement
exercises
Discipline
Continuous
performance Continuous
assessment and monitoring
improvement
Security audits
and drills
Having the right governance structures in place ensures that external and internal
information is available to the right stakeholders in the organisation so that they
can process, discuss, and act on the information by adapting the control framework
or updating guidance and work instructions. This will improve the situational
awareness and knowledge of internal and external parties involved in keeping the
organisation safe, secure, and resilient.
DNV is an independent assurance and risk management provider, operating in more than
100 countries, with the purpose of safeguarding life, property, and the environment.
As a trusted voice for many of the world’s most successful organisations, we help seize
opportunities and tackle the risks arising from global transformations. We use our broad
experience and deep expertise to advance safety and sustainable performance, set
industry standards, and inspire and invent solutions.