The New Year is a great time to make resolutions, but often as the weeks pass, these resolutions fall to the back burner. A study completed in 2016 showed that less than 25% of those who set a resolution successfully followed that resolution for a year.¹ When we think about all of the activities in our daily lives, it is not hard to picture why. Several common reasons for failure include setting unrealistic goals, failing to track progress, forgetting about resolutions, or setting too many resolutions.¹

As much as these challenges apply to goals in our personal lives, they can be easily extrapolated to our work goals as well. How often have we started the year with a new “To-Do List” that will be buried in the first week of the year? How often do we leave a meeting, conference, or training course with new energy and a list of goals to tackle only to see that energy fade over the next few months? For organizations, how often do we see big initiatives at the start of the year, or multiple “high-priority” projects running in parallel until there isn’t the bandwidth to truly push any of them as a priority anymore?

This doesn’t mean that having resolutions or setting goals is pointless, but it does mean that we need to use more effective strategies to stay on track. Defining a realistic goal, setting measurable benchmarks for progress, and having periodic check-ins can all help to significantly improve the likelihood of successfully completing the resolution for individuals and organizations. 

The Industrial Control System (ICS) environment faces many of these same challenges. Trends of growing cybersecurity exposure, tight operational requirements, increasing installed base age, and limited resource availability lead to increasing pressure on automation professionals such as controls and process engineers to get more and more done in less time. 

Although introducing cybersecurity into the list of tasks may at first feel like one straw too many, it cannot be ignored. ICS systems are being increasingly targeted by cybersecurity attacks, and a survey conducted by Ponemon found that between 2017 and 2019 90% of ICS organizations experienced a “damaging cyberattack” meaning that it had a measurable negative impact on production or other negative financial effect.² Failing to adequately address cybersecurity risks can have significant negative impacts on operability and safety requirements.

Observed ICS/OT Environment Trends show how increasing cybersecurity exposure and installed base age pose a significant challenge for limited OT resources, leading to more to do with fewer people to support it.

Applying goal setting strategies is a must for Industrial Control Systems (ICS)

For the best chance of success, it is important to set “realistic” goals. When determining what is realistic, it is important to ask a few questions: 

• What resources are available (time, skill, money)?
• Where does this goal fit with other priorities?
• What is the timeframe that the goal must be completed in? 

For a dedicated team it may be possible to get much more done compared to a single resource trying to get a security program off the ground. What matters most in the goal setting process is picking something that is realistic and achievable for you or your organization. Cybersecurity is a highly complex issue that cannot be solved overnight, but it can be improved over time through many small choices and changes. No goal is too small, and often incremental process can be an effective way to build momentum and achieve larger goals in the future. Getting started is often the hardest part, so to help with the brainstorming process, we have identified five potential goals for cybersecurity in 2023 including who each type of goal is a good fit for.

Goal 1: Complete ICS Cybersecurity Awareness Training

Who is this goal a good fit for? 

Awareness training is a good fit for individuals looking to get started in ICS cybersecurity. They could be controls/ automation engineers, process engineers, process safety engineers, or technicians who interact with industrial control systems daily but aren’t familiar with the cybersecurity aspects affecting the systems.

Awareness training is also a good fit for organizations that are in the beginning stages of rolling out cybersecurity initiatives but need to build understanding in the importance of ICS cybersecurity across sites for various types of personnel.

Why is this an important goal?

Awareness is a pre-requisite for improving ICS cybersecurity. If you aren’t familiar with the environment and its challenges, it is very difficult to make meaningful progress. For individuals looking to improve their understanding of cybersecurity, starting with the awareness aspect can improve knowledge on core concepts that are expanded upon in more detailed lifecycle courses. Everyone who interacts with ICS is responsible to act in a conscientious manner, and awareness training is a key step towards building cybersecurity hygiene – a set of basic practices that should be taken by all ICS personnel to protect the health of hardware and software of computer-based systems – as an individual or organization. 

Starting with awareness and hygiene can help to protect against the most common causes for ICS cybersecurity incidents including employee/ contractor negligence (64%) and credential theft such as phishing (13%)².

How can I get started? 

For individuals there are many free webinars that can provide a good starting point for cybersecurity awareness. exida has created a customized YouTube playlist incorporating many of these webinars into one single place: IACS Cybersecurity for End Users Playlist.

For organizations looking to roll out cybersecurity awareness training to one or more sites, exida has a formal cybersecurity awareness course and several instructor formats available to meet any awareness training needs. If you are interested in learning more about this offering, please complete the exida contact form and we will be happy to get back to you.

Cyber Hygiene is a crucial step towards improving cybersecurity, and a key outcome from improved awareness. 

Goal 2: Complete Cybersecurity Lifecycle Training

Who is this goal a good fit for? 

Cybersecurity lifecycle training goes into more detail about the nuts and bolts of implementing ICS cybersecurity compared to awareness training. It is still a good fit for individuals looking to learn more about ICS cybersecurity and is the best fit for those who will be actively participating in cybersecurity initiatives or those looking to develop their skills in a new and fast-growing field. 

Lifecycle training is also a good fit for organizations that are looking to develop ICS cybersecurity leads for individual sites or for upcoming initiatives and projects, to help provide a consistent foundation for team leaders.

Why is this an important goal?

Building competency is a core part of every cybersecurity program. Awareness training is a good first step, but for cybersecurity leads and those taking an active role in the program, more detailed information on the core industry standards and best practices is needed. Establishing this foundation allows them to more effectively identify cybersecurity needs and protection methods. The ISA/IEC 62443 standard series is the predominantly adopted approach for ICS cybersecurity and identifies three distinct phases: analysis, design, and operations. Learning how to effectively navigate these phases will be a key in implementing cybersecurity during projects and for the life of the facility.

Completing training is also a great way to improve your skills and differentiate yourself. Actively taking courses can help to demonstrate initiative and be a good difference maker when evaluating interest in taking new opportunities. Personnel certificates for course completion and personnel certification programs help to clearly demonstrate the results of competency development activities.

How can I get started? 

exida offers a four-day full ISA/IEC 62443 Lifecycle Course (CS 100) that can be completed in-person or online from open enrollment courses, or that can be completed online as two two-day courses (CS 101 and CS 102). More information on the lifecycle course can be found on the exida website: CS 100 – IEC 62443: Automation Cybersecurity Analysis, Design, and Operation

Personnel competency programs help to formally document the gained competency from cybersecurity training programs and experience. exida offers multiple certificate and certification levels depending on the amount of experience and program completed.

Goal 3. Complete a Cybersecurity Gap Assessment

Who is this goal a good fit for? 

ICS sites or organizations that know they need to start improving cybersecurity aren’t sure where to dive in first, often benefit greatly from starting with a cybersecurity gap assessment. This can be an effective exercise for organizations just getting started in cybersecurity, or organizations that have taken some steps in the past but aren’t sure where they currently stand.

Why is this an important goal?

A gap assessment can be tailored for an organization as a whole or a specific site depending on the desired area of focus. It is a great first step to identify the current cybersecurity posture and exposure for the organization/ site and helps to determine where the current approach is effective, what existing areas can be further strengthened, as well as which areas require more significant changes to be successful.

Former United States Secretary of Defense Donald Rumsfeld somewhat famously claimed that there are three types of information:

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”³

These categorizations do apply to cybersecurity, and in security, it is always best to be in the about your system and any potential issues (“known knowns"). Even when an issue has been identified it is not always practical to implement mitigations right away, but it is at least possible to monitor them, these would be “known unknowns” (e.g., packaged PLC workstations without anti-virus or other protections). While these “known unknowns” pose a real risk, it is the last category of “unknown unknowns” that are the most critical area to focus on for ICS cybersecurity, because they cannot be tracked or monitored.

Unknown devices connected to the ICS network, wireless access points, installed programs with vulnerabilities, and undocumented behavior, are all examples of cybersecurity “unknown unknowns”. Any of these could lead to a compromise of the system, and there would be no way to know what caused it.

A gap assessment helps to identify these “unknown unknowns” and provide more information about the attack surface area, or the amount of exposure that an organization has to cybersecurity threats, including evaluation of the network architecture and connected devices, vulnerabilities in critical equipment, and the existing cybersecurity practices and policies for the site/ organization. Understanding how vulnerable to cyberattacks your organization is a critical part of starting to address the problem.

The attack surface area for cybersecurity is not as easy to determine as in geometry, but by identifying exposure through the network architecture, component software/ hardware, and personnel it is possible to determine key areas of focus.

How can I get started? 

For more information about the importance of gap assessments for ICS systems the following webinar provides a good starting point: Importance of Industrial Cybersecurity Gap Assessment. 

For more information on exida’s cybersecurity services or to request more information please visit our website.

Goal 4. Develop a Cybersecurity Management System

Who is this goal a good fit for? 

Organizations that know that they don’t have much in place for cybersecurity but are ready to get started with an ICS centric approach can look to get started by developing a Cybersecurity Management System (CSMS). This goal is best for organizations that have identified cybersecurity as a priority and have some resources available to support the effort.

Why is this an important goal?

Too often, the first attempt at documenting cybersecurity result in mounds of unruly and often unhelpful paperwork. This problem can be emphasized by identifying the correct location of cybersecurity requirements: Is the correct file for documenting the firewall rules, the firewall policy overview, firewall installation procedure, the access control philosophy, the system zone & conduit diagram, or some combination of all the above?

Instead in a Cybersecurity Management System (CSMS), one central document outlines the “what” an organization aims to achieve for cybersecurity and provides clear direction on where to find the procedures that outline the “how” for a given security task, leading to effective cybersecurity management and fewer headaches. Formally documenting the strategy and structure for approaching ICS cybersecurity improves the ability of an organization to define clear cybersecurity requirements and roll them out across one or more sites.

The CSMS is also an effective way to mitigate many of the common issues exida has found in previous gap assessments, and is the primary mitigation for findings such as:

• No Structured Cybersecurity Process
• No Cybersecurity Roles & Responsibilities
• Poor Communication Across Business Units
• Missing or Incomplete Documentation
• Poor Repeatability of Security Activities
• No Definition of Cybersecurity Requirements

The CSMS is a single guiding document, that combines multiple sections to provide a comprehensive overview of “what” an organization aims to achieve for cybersecurity.

How can I get started? 

For more information about the importance of developing a robust CSMS see the following webinar: How do I “Manage” my Cybersecurity Management System?

Although developing policies and procedures from scratch can be daunting, exida has a set of pre-made ICS Cybersecurity templates based on the ISA/IEC 62443 standard: IEC 62443 End User Template Bundle: All Templates. You can either be purchase the templates and customize them yourself, or if your organization is looking for more support, exida can provide consulting services to assist with tailoring the templates to your specific needs.

Goal 5. Conduct ICS Cybersecurity Risk Assessment

Who is this goal a good fit for? 

Organizations that are more experienced in ICS cybersecurity, have a good understanding of their current network architecture and asset inventory, but are not sure how to prioritize sites or further mitigation actions can benefit from an ICS specific cybersecurity risk assessment. This goal is best for organizations that have identified cybersecurity as a priority and have some knowledgeable resources available to support the effort.

Why is this an important goal?

Many ICS/OT organizations have mature processes in place for evaluating process or machinery hazards in traditional safety risk assessments, but far fewer have developed a robust approach for assessing cybersecurity risks. Although many IT groups use Governance Risk and Compliance (GRC) tools to conduct risk assessment at the business unit level, these tools often do not capture the full picture of ICS/OT cybersecurity risks. Because cyberattacks on ICS environments can lead to lost production, physical damage, and potential safety issues, a different approach is needed.

Alignment between safety risk assessment and cybersecurity risk assessment is critical, and the latest version of IEC 61511 now requires that a cybersecurity risk assessment be conducted for all Safety Instrumented Systems (SIS) and connected systems. Fortunately, traditional process hazard analyses (PHAs) have valuable information that can be used to improve the speed and efficiency of the cybersecurity assessment, including corporate risk criteria, potential consequences resulting from control system failures, severity rankings for consequence scenarios, existing mechanical protection layers. With this information organizations can jumpstart their approach to managing cybersecurity risk.

The exSILentia cyber™ screenshot shows how many pieces of information from the PHA (worst-case consequences, risk criteria, and safeguards not susceptible to cyberattack) can be directly translated to an ICS cybersecurity risk assessment.

How can I get started? 

For more information about strategies for incorporating existing PHA information into cybersecurity risk assessments, the following webinar provides a good starting point: Streamlining Cybersecurity Risk Assessments

For more information on exida’s cybersecurity services or to request more information about getting support on a cybersecurity risk assessment please visit our website.

Regardless of the goal, putting together an achievable roadmap can help keep you on track.

Whether your goals for cybersecurity in 2023 are big or small, setting an achievable target and drafting an implementation plan will help to lead to a more successful outcome. For more information on setting an ICS Cybersecurity New Year’s Resolution please see our webinar: New Year’s Resolution: Plan for OT Cybersecurity

Sources:

• Discover Happy Habits, “New Year’s Resolution Statistics (2022 Updated)”, discoverhappyhabits.com (2022).
• Tenable, “Cybersecurity in Operational Technology: 7 Insights You Need to Know,” Tenable, (2019).
• Donald Rumsfeld, “02/12/2002 Defense Secretary Press Conference” Washington DC, United States (2002).