Michael Ramesar Hi Mike, I am sure you are enjoying your role so far and excited with the challenges you are facing on daily basis. I would be very much interested in understanding what happened to "your ask". Are you able to share some feedback within this group?
A Security Framework is a massive topic to cover, without a clear understanding of the existing toolings and processes of the organisation + a good 360 view of all the available but market-standard practices, it will indeed a very tall order to work out the assumed model/framework.
Yang
Hi Michael,
A good start is the C2M2 (cybersec capability maturity model) developed by Homeland Security for the Energy Sector in the US. Very simple checklist to gauge your company's maturity on the OT but also IT side. Even if you use something else like ISO 27001 info sec policies, the C2M2 can still be a simple checklist to use for KPIs/Maturity.
Cybersecurity Capability Maturity Model (C2M2) | Department of Energy
I assume the IT side of the business will already be using ISO 27001 so maybe it is a matter of widening the scope to include OT if it was previously ignored/excluded?
Regards,
Omar A
Thanks for sharing this. I did download this and explored the questions, etc. I do think is very useful to start off if you have nothing in place and I would recommend it. It would be good to have an integrated tool for risk assessments that auto-connects to the C2M2 model.
On a more practical note
There are some really odd things done for things like remote monitoring of distributed assets, with for example special SIM cards and adapters generating legacy protocols at each end of link that is pretending to be wired 20mA loop or CanBus or something but is not really wired, in a way that may or may not be very secure.
In such a system one needs to include consideration of compromise of the physical assets - how much damage could someone do if they stole a monitoring unit from a remote location and then sometime later mis-used it to re-join the network as a subversive and either snooped or inserted false data.?
Mike.
Your company will have lots of firmly installed kit. The IEC 62443 series is applicable and has a number of documents which address assessment and assurance. It seems Part 3-2 is relevant, but I haven't read it yet so don't really know how good I think it is. I have developed my own list of duties and mandates for process plant cybersec along with Martyn Thomas. It turned out to be way too long for the original target journal but we may be about to revise it for another. "Independent" it most certainly is.
We're about to take you to the IET registration website. Don't worry though, you'll be sent straight back to the community after completing the registration.
Continue to the IET registration site