Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 14 subscribers
  • Views 1038 views
  • Users 0 members are here
Options
You may also be interested in
This discussion is locked.
You cannot post a reply to this discussion. If you have a question start a new discussion

cybersecurity assurance

Michael Ramesar
Hello all,

I am the newly appointed lead cyber authority for a large energy company.  I am interested in your thoughts on what an assurance framework or assurance model  might look like in providing an independent view on cyber risk. 


Thanks,


Mike Ramesar
  • 0
    Can you be more specific? For example, is this upstream E&P, utilities etc? And what type of cyber risk - information security, industrial control, cyber/safety?

    Regards

    Rob
  • 0
    Great question.  it is both sides of the firewall -  IT and OT (all of the above),  I am still digesting the full breadth of operations, from offshore platforms, refineries, tankers, wind and solar farms, interface with suppliers, cloud systems, Saas, Paas, Iaas
  • 0
    Hi Michael,

    Have you looked at the  Cyber Assessment Framework from the UK National Cyber Security Centre? This was created  for organisations responsible for vitally important services and activities.
    https://www.ncsc.gov.uk/collection/caf 


    If you need any help with what sounds like a challenging brief, do get in touch.

    Martin

    BSI Cybersecurity & Information Resilience.
  • 0

      Hi Mike, I am sure you are enjoying your role so far and excited with the challenges you are facing on daily basis. I would be very much interested in understanding what happened to "your ask". Are you able to share some feedback within this group?

    A Security Framework is a massive topic to cover, without a clear understanding of the existing toolings and processes of the organisation + a good 360 view of all the available but market-standard practices, it will indeed a very tall order to work out the assumed model/framework.

    Yang

  • 0

    Hi Michael,

    A good start is the C2M2 (cybersec capability maturity model) developed by Homeland Security for the Energy Sector in the US. Very simple checklist to gauge your company's maturity on the OT but also IT side. Even if you use something else like ISO 27001 info sec policies, the C2M2 can still be a simple checklist to use for KPIs/Maturity. 

    Cybersecurity Capability Maturity Model (C2M2) | Department of Energy

    I assume the IT side of the business will already be using ISO 27001 so maybe it is a matter of widening the scope to include OT if it was previously ignored/excluded?

    Regards,

    Omar A

  • 0 in reply to MartinP

    Thanks Martin I am familiar with this.  

  • 0 in reply to Omar_A

    Thanks for sharing this.  I did download  this and explored the questions, etc.  I do think is very useful to start off if you have nothing in place and I would recommend it.  It would be good to have an integrated tool for risk assessments that auto-connects to the C2M2 model.

  • 0 in reply to Yang

     A tall order indeed.  We do have a quite a lot of maturity in the space with many internal standards and processes for various parts, IT, OT, Suppliers, Regulatory, etc. 

  • 0

    On a more practical note

    There are some really odd things done for things like remote monitoring of distributed assets, with for example special SIM cards and adapters generating legacy protocols at each end of  link that is pretending to be wired 20mA loop or CanBus or something but is not really wired, in a way  that may or may not be very secure. 

    In such a system one needs to include consideration of compromise of the physical assets - how much damage  could someone do if they stole a monitoring unit from a remote location and then sometime later mis-used it to re-join the network as a subversive and either snooped or inserted false data.?

    Mike.

  • 0

    Your company will have lots of firmly installed kit. The IEC 62443 series is applicable and has a number of documents which address assessment and assurance. It seems Part 3-2 is relevant, but I haven't read it yet so don't really know how good I think it is. I have developed my own list of duties and mandates for process plant cybersec along with Martyn Thomas. It turned out to be way too long for the original target journal but we may be about to revise it for another. "Independent" it most certainly is. 

Join us to get the best from IET EngX.

Joining EngX lets you personalise your experience so you stay up to date on the topics that interest you, plus you’ll be able to make connections who are looking to collaborate, exchange ideas and more.

Join us Not now

Community Rules & Guidelines