Which business processes are most critical to your firm?
If you need to understand the security and risk posture of your organization, this would be your first question. Reducing OT related business risk starts with understanding and identifying the OT assets associated with critical business processes. Only then can you understand which OT assets need security focus and investments to reduce your OT related business risk – in a cost-effective manner.
According to the SANS Industrial IoT (IIoT) survey, “most organizations…envision a 10 to 25% growth in their connected devices for the foreseeable future.”1 This explosion of devices, in addition to the existing obscurity issues inherent in OT, makes asset discovery difficult.
As I outlined in the SANS IIoT webinar, in a typical asset discovery there is a tendency to start grouping devices by type, such as Windows, Mac, Linux devices, PLCs, sensors, etc. which distracts focus from managing the risk of the critical processes. Instead, doing discovery based on the critical asset systems really helps us not “boil the ocean”, waste resources and lose focus.
Start with critical impact systems and work in priority order to identify:
- What assets support the process?
- What hardware and software run on the assets and what is the network topology supporting them?
- What endpoints, devices and non-network connected devices really constitute the asset system?
After understanding what the critical asset systems look like, the process will highlight the importance of protecting high-impact systems, such as data center assets or operations. Requesting funding becomes easier to justify from a business perspective, especially when introducing risk-mitigating controls. Organizing impact systems on a high/medium/low scale can ease successful implementation of many Risk Management Frameworks (RMFs).
RMFs are best-practice policies to assess and reduce OT asset-related business risk. Common examples used in OT are the NIST Cyber Security Framework and NIST 800-82 specifically for industrial control systems. In addition to the RMFs, there are also international standards such as ISA/IEC 62443 or ISO 27000 for which organizations can be certified. There are also regulations, such as NERC-CIP in Energy. What they all have in common is a framework of controls that should be put in place from asset discovery, hardware and software asset management, configuration management, and vulnerability management, to where you have a blueprint allowing for efficient and measurable business risk reduction.
When we start from the “top down” approach versus the “bottoms up approach”, we end up building a solid risk management program that executive management can understand, protecting the most critical processes to the business, and achieving both cost-effectively.