Smash Your Personal Best – How to Continuously Improve ICS/OT Cybersecurity
OK I’m stressed. I’ve got my first marathon coming up in two months and I’m nowhere near ready yet. But I trust the periodization plan – a process of gradually ramping up my running volume and intensity in small but manageable increments until I am ready to perform on the big day. If you’re in charge of cybersecurity at an industrial facility, you’re probably stressed too. But with a similar process of continuous improvement of ICS/OT cybersecurity you can become a “tough” target and limit the impact of any incidents.
Runners are well known for being statistics nerds; many can tell you their personal best times and target pace for a range of distances. If you can stay injury-free and follow a structured training program, you should be able to improve steadily over time and this will show up in your performance data. It is useful to follow the same principle in OT cybersecurity – decide what you are trying to improve and know if you are (or aren’t) meeting goals and improving metrics such as incident response times and time to mitigate vulnerabilities. ICS/OT cybersecurity is a journey, much like marathon training, where you must prioritize projects in incremental steps with the ultimate goal of reducing risks to the greatest extent possible.
When I was running on my own, mostly on treadmills, I couldn’t have contemplated doing a marathon. The goal was just too big, and I didn’t know how to get there. Since joining my local running club, I’ve benefited from collective knowledge and help from coaches. We do structured training where much of the time is spent focused on long “easy” runs to build endurance and a minority in harder sessions to build speed. Similarly, cybersecurity splits into maintenance activities like patching, monitoring, educating and more focused activities where a critical vulnerability is mitigated or remediated.
So how do you decide what to focus on? Hexagon’s solution, PAS Cyber Integrity, will alert you to the latest vulnerabilities you should be aware of. It does this by matching its inventory of your assets, taken from OT backup files and IT queries, with a daily snapshot of the National Vulnerability Database from NIST. This gives you all the known vulnerabilities for your IT and OT assets applicable to the hardware, firmware and software versions you have. The vulnerabilities are scored in the database according to criticality, including customizable impact factors specific to your environment, allowing you to focus on the high-scoring issues This allows you to prioritize the vulnerabilities that exist within assets, units and locations which matter most. Or in running-specific terms, get the “quality” of each and every workout.
If you’re not using PAS Cyber Integrity, you can still apply the same principles by comparing PDFs of advisories with spreadsheets of your assets and emailing your colleagues for help with inventory queries. However, this is a lot of work and is prone to errors that likely causes ICS/OT cybersecurity to be shelved when other work takes precedence. Much like I found when I joined my running club, it gets easier when you have a little help.
Ready to learn more? Click here to discover how Hexagon can support you along your risk reduction journey.