Eradicate Information Gaps

A cybersecurity-management system starts with an asset inventory, followed by closing the technical and procedural gaps and flaws that allow your system to be compromised.

By Scott Reynolds, Johns Manville

Industrial cybersecurity continues to have information gaps that introduce preventable risk and increase vulnerabilities. To eradicate these gaps—including systems information, the risks within those systems, and information about best practices—it’s imperative that experts share the latest knowledge and work together to continuously develop and implement best practices.   

Information about your systems seems straightforward but can quickly become overwhelming. For example, every cybersecurity management system starts with an asset inventory, but how deep should that inventory go? In terms of scope, should you look only at network-connected devices? Should the inventory include air-gapped systems with a USB port or a network port?

When assessing a system’s depth, should you look only at your hardware, or should you also examine software and firmware? What about the libraries and source code the system has compiled in the firmware?

The first step to a successful security program is defining the scope and depth of an asset inventory. What do you need to know immediately? Start with the basics by compiling a complete hardware list with software and firmware versions. As your program matures, make each subsequent asset inventory more robust. 

After clearly defining what you’re protecting, consider what you are protecting against. Vulnerabilities are the technical and procedural gaps and flaws that could allow your system to be compromised and are revealed by any reliable asset inventory. The good news is that vulnerabilities can be fixed and controls can be put in place to reduce the likelihood of exposing your system to harm, such as installing a firewall. Vulnerability databases are a valuable resource, both shared and vendor-specific and are excellent examples of the power of mitigating risk through knowledge sharing. 

Protecting your assets is complex, but drawing on collective industry wisdom can lighten the load. Here are steps to widening your circle of experts:

Join a community. Organizations such as ISA (International Society of Automation, Pittsburgh, isa.org) are brimming with people who are genuinely interested in sharing knowledge and have extensive practical experience.   

Leverage a vendor- and sector-agnostic standard. The ISA/IEC 62443 standard series is grounded in the knowledge of thousands of volunteers across all industry sectors. These volunteers take a risk-based approach to securing the operational technology environment for systems of any size or complexity, without causing those systems to be compromised in the process.

Develop your people. Offer training on building effective cybersecurity-management systems, assessing OT cybersecurity risks, developing secure solutions, and maintaining those solutions. ISA also has several training and certification programs to help connect you with cybersecurity experts and gain training specific to OT cyber risk.

Cybersecurity is an ongoing process. Like technology itself, vulnerabilities and threats evolve and change over time, and information gaps across industrial cybersecurity are the number one cause of unsecured systems. Having an effective cybersecurity management system that tracks security posture and ensures control efficacy is essential for all OT asset owners. The most important control to have in place is an effective cybersecurity response strategy. EP