Cybersecurity maturity in automation systems | CRA Notice

Insight

Improving the cybersecurity of automation systems remains a topic of considerable interest for vendors, end users, government agencies, and other stakeholders. As in areas such as safety and quality, sustainable improvement requires a continuous improvement approach that addresses all aspects of the opportunity. Stand-alone projects are rarely effective and the gains achieved can be difficult to sustain. Maturity assessment has become an essential part of cybersecurity programs, but there are several such models and it can be difficult to determine the best alternative. Additionally, maturity models can be quite complex and difficult to implement.

This overview describes how maturity assessments can be used in conjunction with other methods to address cybersecurity risks present at all stages of the solution lifecycle.

The cybersecurity imperative

Improving the cybersecurity of automation systems has been an area of ​​focus for nearly two decades. Awareness of the severity of the challenge continues to grow, largely due to efforts by industry associations, standards bodies and vendors to share information about potential threats, current vulnerabilities and examples of consequences negative. It has also led to a better understanding of the scale and scope of the problem. Virtually every industry sector that employs these systems faces varying degrees of risk in this area.

Although much has been done to meet this imperative, challenges remain. Supporting products and technologies have been improved, but the capabilities of existing products and systems are still insufficient. New systems should be designed and configured with security as an important consideration, and asset owners should take the necessary steps to secure their current systems.

From awareness to justification

While essential, awareness and understanding of potential risks are not enough. End-user companies operate in an environment that includes all kinds of risks, and it is always difficult to convince decision makers to approve the investments needed to address specific examples. As with any investment, there must be some kind of return. It is common to justify cybersecurity efforts by focusing on the possible consequences of inadequate security, such as loss of production, loss of intellectual property, damage to physical processes and equipment, and loss of reputation. of the company.

Limits to progress

If we accept the premise that there has not been enough progress to meet the cybersecurity imperative, this leads to the obvious question of what limits progress. Many causes are old and well known.

• Size and complexity – The safe and reliable operation of large industrial and manufacturing plants, factories and other facilities requires the use of equally complex automation systems. These systems typically undergo incremental changes and improvements over time, and current configuration records are often not available. Thus, a detailed inventory is the first step in a cybersecurity program.
• Limited co-ordination – Successfully addressing the challenge of industrial cybersecurity requires understanding and coordinating many “moving parts”. Unfortunately, it is rarely obvious who is best placed to ensure this coordination. End users often do not see the need for such coordination. There are a few success stories in the context of trade associations, but these are often limited to large companies in a specific sector.
• Risk awareness – Even if the automation systems and the underlying processes are well documented and understood, there may not be an appreciation of the types of degree of risks encountered in their operation. Without a risk assessment, there is often no response to potential threats.
• Lack of incentive – If there is no compelling business case or external forces such as regulations that compel a response, the result is a lack of incentive to improve the cybersecurity of the systems in question. Therefore, such improvements are not made or, at best, they are made very slowly.
• Confusion over responsibility – It is not always clear who is responsible for which elements of the response. The best example of this is the ongoing debate over whether securing automation systems is the responsibility of IT or OT organizations. The reality is that both have a role to play and moving from debate to cooperation is essential for meaningful progress.
• Need a one-size-fits-all solution – Although there is a natural desire for a single solution that meets all needs or requirements, this can lead to a situation known colloquially as “the best is the enemy of the good”, where significant improvements can be delayed or circumvented while waiting for a better solution. The simple truth is that there will always be something better in the future, and yet we will never find a perfect solution. It’s best to implement what’s available in a way that allows for incremental improvement as new capabilities emerge.

Continuous improvement

Given the inherent size and complexity of the problem and the obstacles listed above, it is not possible to achieve substantial improvements in the safety of automation systems by applying single measures. The required response should be viewed more as a process than a project with a definite beginning and a definite end. A continuous improvement program can be an effective approach to defining and making the changes needed to address cybersecurity risks.

ARC Advisory Group customers can view the full report on the ARC Customer Portal

If you would like to purchase this report or obtain information on how to become a client, please contact us

Keywords: Cybersecurity, Lifecycle, Maturity, Metrics, Performance, Risk Management, ARC Advisory Group.