The average number of cyberincidents per year in industrial enterprises has increased significantly over the past few years. Our colleagues conducted a survey, speaking with employees of industrial enterprises from 17 countries around the world. They asked questions about cyberincidents and the attitude toward cyber risks. As a result, they were able to identify seven factors that significantly mitigate the outcomes of the incidents. Show
Availability of a specialized OT security departmentAlmost every industrial enterprise has an operational technology (OT) security team of some kind. However, often instead of creating and funding an OT security department, the job is assigned to IT security or even general IT departments. These departments do not always understand the specifics of the operational technologies enough to provide the necessary level of protection. To minimize both risks and consequences of incidents in industrial networks, an enterprise needs a well-resourced and appropriately qualified OT security team. Clearly structured decision-making processOften problems in an industrial enterprise arise due to organizational mistakes, when the management of security is divided between departments that are not related to each other. As a result, companies purchase security solutions that duplicate each other’s functions, visibility of the industrial process is becomes less than adequate, data collected from the endpoints and sensors is used inefficiently, and the implementation of new projects is delayed due to intricate approvals. This is all without mentioning the fact that the OT and cybersecurity departments are starting to compete for budgets. Having a legacy infrastructure management strategyIndustrial cybersecurity (ICS) often uses equipment that was created before people had a rough idea of what level of digitalization modern industry would come to. Therefore, it is necessary to be extremely careful in building a control system for an array of outdated industrial networks, programmable logic controllers, supervisory control and data acquisition (SCADA) systems, and other OT elements. They should all be inventoried and security specialists should regularly scan such equipment for critical vulnerabilities or failures resulting from wear and tear. Introducing security solutions designed specifically for industrial environmentsIt is impossible to ensure the security of ICS environments using standard cybersecurity solutions. They will effectively cope with random general cyberattacks, but they will not detect threats specific to industrial process. Moreover, sometimes they can negatively affect the continuity of technological processes. To avoid this, you need solutions that were specifically designed for industrial environments. Having an OT/IT convergence strategy with IIoT in mindThe increasing digitalization of industrial processes implies an increase in the level of integration between OT and IT environments. Key elements of this integration are the use of Industrial Internet of Things (IIoT) devices, public cloud services and IIoT gateways. All these elements often become a vulnerability through which attackers can reach industrial systems. It is not realistic to stop this process of digital evolution, therefore it is necessary to develop a plan to securely integrate operational and information technologies in advance. Rapid incident responseOne way or another, incidents are unlikely to be completely avoided. But when they do happen, it’s vital that the problem is identified and coped with as quickly as possible. The faster it is done, the less it will cost the company both financially and reputationally. Therefore, it is especially important for industrial enterprises to have mature rapid response rules and a team that is able to do it. Taking staff training seriouslyLastly, you should not forget about the importance of security-centric behaviors of the company’s employees. If you want to minimize impacts of the security-related incidents, you probably need to train your staff in security basics and strictly monitor the compliance with internal regulations. One way or another, the human factor is behind the vast majority of incidents: someone used a compromised personal password, someone connected a phone to a computer behind an air gap, someone clicked on a link to malicious website and so on. People must clearly understand what can and cannot be done at an industrial enterprise, especially if it is a critical infrastructure facility. You can find the complete results of our survey 7 Keys To Improving OT Security Outcomes: Kaspersky ICS Security Survey 2022 after completing a brief form. A sampling of 80 (ISC)2 members surveyed by the Institute for Applied Network Security (IANS) found that the group scored very well on technical excellence, but were a bit behind the broader IANS sampling of 1,000 on organizational engagement. While technical excellence focuses on specific security products and services deployed, organizational engagement refers to the processes in place at a company for how information security aligns with the business. Stan Dolberg, chief research officer at IANS, and IANS CEO Phil Gardner, presented the findings during a session at the (ISC)2 Security Congress in Orlando last week. Gardner added that organizational engagement will grow in importance as CISOs interact with more groups and divisions within an organization. “We found that the rise of the dotted lines to the other parts of the organization was stunning,” says Gardner. “Some 80 percent of the (ISC)2 group do some type of reporting outside of IT, which compares to half of that with the general dataset.” IANS breaks organizational engagement into seven factors. Here’s a list of the seven factors and how the (ISC)2 members fared compared to the broader group. Factor 1: Gain Command of the Facts In addition, IANS measures to what extent the CISO has linked that information to data from incidents the company experienced, and whether they have modeled that data and developed predictive models. IANS also examines if the company has validated those predictive models, and whether they have developed a planning tool that the CISO can use to help identify potential exposures in new business initiatives. Compared with the overall dataset of 1,000, the highest performing (ISC)2 respondents were lower on two of three of the criteria, particularly on building an outlook for the future around the risk profile. Factor 2: Get Business Leaders to Own the Risk. New business initiatives create new exposures and getting business leaders to own those exposures and be accountable for them leads to more productive interaction and timely risk assessments than if the CISO was responsible for all the information security risks. Here are a couple of ideas: Dolberg says while it’s not the norm, some organizations are now tying compensation to how a business unit performs on information security issues. The more business units take ownership of information security, the better. Companies are also running simulations of an information security event so the business staff can develop a broader understanding of the issues. Relative to the overall dataset, the highest performing (ISC)2respondents scored higher on three of the four criteria for getting the business to own risk, particularly on use of simulations to gain executive buy-in, and on setting clear risk stewardship policies. Factor
3: Embed Information Security into Key Business Processes. The (ISC)2 sampling did very well on vendor selection. Embedding security into vendor selection means providing the info sec information to the legal and purchasing departments so they know what questions to ask when signing on with a new vendor. For the (ISC)2 sampling, if vendors want to sell to their organizations, infosec has to be an important part of the criteria. Relative to the overall dataset, the highest performing (ISC)2 respondents scored lower on three of the four criteria for embedding infosec. However, they scored higher on embedding security into vendor selection. Factor 4: Run
Infosec Like a Business. IANS evaluated the (ISC)2 members on budgeting, personnel management and project management. Not surprisingly, the (ISC)2 group did very well on project management and were basically on par with the other tasks. The (ISC)2 members were able to demonstrate skilled and agile use of resources, including managing consultants and contractors. They also can propose, staff and execute projects on time and on budget. Compared to the high performers in the overall dataset, the highest performing (ISC)2 respondents scored on par with the overall dataset on running information security like a business. Factor Five: Develop a Technical and Business-capable Team. IANS says the (ISC)2 group needs to better focus on developing a plan for building a team that can grow and represent the CISO, both on the scheduled projects and events that pop up unexpectedly. Factor Six: Communicate the Value of Information Security CISOs need to understand every aspect of the business. Based on the findings, its clear that the (ISC)2 sampling was able to describe security needs in very specific ways to business groups such as sales, software development and logistics. The (ISC)2 group performed very well here, especially on communicating the value of infosec, and especially on stakeholder engagement. Factor Seven: Organize for Success The strongest and most successful companies will have CISO organizations that have lines of communication with as many department and groups in the company as possible. The (ISC)2 sampling was on par with the rest of the dataset and even excelled in two areas: CISO dotted line reporting outside of technology and contact with senior executives. Related Content:
What is the need of information security?Information security protects sensitive information from unauthorized activities, including inspection, modification, recording, and any disruption or destruction. The goal is to ensure the safety and privacy of critical data such as customer account details, financial data or intellectual property.
What are 4 types of information security?There are four types of information technology security you should consider or improve upon:. Network Security.. Cloud Security.. Application Security.. Internet of Things Security.. What are the 5 components of information security?It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation.
What are the 3 major key components of information security?When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.
|