6 steps to develop a cybersecurity program for OT

Operational technology (OT) comprises the systems, facilities, technologies, supply chains and networks that produce and manage goods and services in critical infrastructure (CI) sectors such as, power, gas, water, food, banking and finance, health, transport, defence, communications and education. These CI sectors provide essential services to businesses, governments and the community, as well as to other critical infrastructure.

They are vital to the social and economic wellbeing of Australia, including public safety and the ability to ensure national security.

A successful cyber attack on critical infrastructure that disrupts the provisions of essential goods and services can put public safety at risk, threaten economic security and, in a worst case scenario, compromise national defence.

In a rapidly evolving threat landscape, CI is a prime target for bad threat actors seeking financial profit via extortion or cyber espionage. But, with high stakes at play, hacktivists and disgruntled insiders are also incentivised to target critical infrastructure.

To build defences against CI threats and mitigate risks, cybersecurity programs of work are vital for OT and CI organisations.

Six key objectives of a cybersecurity program

To achieve a desired state of security maturity, OT organisations should adopt a program of work including six objectives in the security journey: risk assessment, strategy and governance, policy and procedure documentation in line with standards, implementation and security testing, monitoring, and staff training.

1. Risk assessment

The program should start with a risk assessment. This assessment should identify all assets in the architecture, assess risk using appropriate terms of reference or standard and have a scoring system to grade impact, likelihood and consequence. Results and findings should be numerically coded and transferred to the enterprise risk register and be nominated at the board’s risk committee meetings. A remediation budget should also be requested.

2. Strategy and governance

The strategy and governance documentation should take the results of the risk assessment and list the major projects the organisation must complete to mitigate or remediate identified risks to an acceptable level. This documentation should include projects, funding and timelines.

3. Documentation

Organisations should create security policy, procedure and architecture documentation referencing an appropriate architectural model.

An ISMS can be built by the selection of a standard such as ISO/IEC 27001:2013, ISA/IEC 62443, NIST or the Australian Government Information Security Manual. Standards contain cybersecurity domain and controls that once implemented enable an organisation to achieve a strong cybersecurity posture.

4. Implementation and testing

The implementation phase of a security architecture builds and tests the specified architecture in its physical form in four phases:

• Proof of concept (POC)
• Factory acceptance testing (FAT)
• Site acceptance testing (SAT)
• Security testing with active and passive penetration testing of security controls

5. Monitoring and incident response

Monitoring and incident response planning confirm system visibility and alerting capability across architectures for operational and security events based on a series of rules.

It is advisable to collect key metrics from devices across the architecture to enable monitoring and reporting across four key areas: operations, applications, security and business objectives.

6. Training

Training is a critical step in the security program to impart knowledge and help build a security culture. The main two training types are: cybersecurity awareness, which covers basic security concepts, and training on policy documentation established in the documentation and architecture phase.

OT organisations should adopt a cybersecurity program of work that identifies the organisation’s critical assets, assesses and documents risk, and maintains a risk register with remediation plans.

The security program should document the people, processes and technology of the operational architecture in line with appropriate standards. It should also warrant competent implementation with active and passive testing. While visibility of the architecture is key to incident response, cybersecurity awareness and policy training are imperative to building a strong security culture.

A robust cybersecurity program built on the six key objectives will enable a strong cybersecurity posture and compliance with the impending changes to the Critical Infrastructure Act.

Image credit: ©stock.adobe.com/au/dusanpetkovic1