A key challenge in cyber security (management) is meaningful metrics.
This is even more challenging in areas where cyber risk management hasn’t exactly had decades of history to mature. Operational Technology (OT) is such an area.
Organisations struggle to measure the as-is cyber security level of their OT domains towards the defined target levels at the pace of change dictated by IT-OT convergence and manufacturing digitalisation.
Where OT/Industrial Automation and Control Systems (IACS) risk assessments may take many months, the chances are high that the list of assets, as well as the thread taxonomy in scope considered at the begin of the risk assessment, will be fairly (if not greatly) outdated by the time the finalised (peer-reviewed, supervisor-reviewed, sponsor-agreed) risk/audit report is available to the mitigation teams, so that they can start their mitigation planning (just the planning – the actual mitigation will take some more months, providing everybody has agreed again and that there is a sponsor, and a mitigation project is made ready to launch).
This problem will further increase as the speed of change in OT (the speed of digitalisation-driven IT-OT convergence) is inevitably increasing. Key elements for the cyber security response recipe to keep pace with this development (or, more importantly, to get ahead of it) need to include:
on the risk identification side:
– the adaption of new IT cyber risk management approaches for OT (e.g. the Continues Adaptive Risk and Trust Assessment (CARTA) approach proposed by Gartner) ; and
– “real-time” (operational) OT security metrics complementing Enterprise Risk Management (ERM) metrics
on the risk mitigation side:
– a consequent automation of key countermeasures (notably, incident detection and response and system/software lifecycle security controls); and
– taking cyber security capabilities (people, processes, technology) into the OT organisations (notably, cyber risk know-how for OT risk managers, cyber technology know-how for OT maintenance teams and self-service platform based cyber technology)
Let’s be clear: the (very near) future of effectively and efficiently keeping theOT cyber risk in check is rather based on
self-learning
system-behavioural
anomaly-detecting
real-time
monitoring algorithms
than on a team of (human) security experts working their way through a (weeks or even months old) list of (human) OT security audit or risk assessment findings.
Yet even with the AI algorithms and automated (and dynamic) controls, safeguards and countermeasures in place , we, the eventually few remaining security professional and security manager humans (and the boardroom) – will still need to know what’s going on on board of our OT spaceship, and what our OT security level is, won’t we ? As a matter of fact, the more we automate our (not only OT) protection measures across the enterprise, the more important it becomes to have a common OT cyber risk language among all risk stakeholders in the enterprise, and also (and not least) among enterprises.
A few weeks ago, I had the pleasure of attending a presentation by Dr Pierre Kobes, who introduced the concept of IACS protection levels and a plan to make those a part of the IEC 62443 industrial security standard. Kobes is the Product and Solution Security Officer at Siemens and has a leading role in the ISA99 working group groups that are shaping IEC 62443.
A quick reminder: IEC 62443 is actually not a single standard but a set of documents covering four areas (general, policies and procedures, system, component) and up to five subdomains per area. The IACS protection levels proposed will be a sub-domain of ISA-62443-2: Policies and Procedures.
The proposed extension of IEC 62443 with an IACS protection levels methodology aims to
– evaluate the protection of plants in operation;
– represent a more holistic application of ISA/IEC 62443; and
– better bridge the OT and IT security worlds
It will do so trough a rather “simple” idea: combining an evaluation of the as- of-today-already-defined-in-62443 security functions levels and security process maturity levels:
The proposal also includes allowing the resulting protection levels to be clustered into ‘views’ (as a use case for non-cyber experts such as OT asset owners) and ‘security control classes’ (as a use case for cyber security experts), thereby making the protection levels a potentially strong pillar in a bridge between the two ‘worlds’ (or even a bridge in itself).
I believe that internationally standardised industrial security protection levels such as those proposed by Kobes/the ISA/IEC working group) would indeed be a major step towards a commonly understood global OT cyber risk language.
Dr. Pierre Kobes has kindly agreed to use the presentation and to further distribute it. Here is a download link: http://conference.vde.com/fs/2017/Vortragsfolien/Documents/Protection%20Levels,%20an%20holistic%20approach%20based%20on%20IEC%2062443_%20P.%20Kobes.pdf
RealLifeISM 
Posted on February 2, 2019 by Heiko Herrmann