The first step in developing a cybersecurity response for your business is to establish the scope of the cybersecurity response in terms of the hardware and software included, which in turn requires an accurate inventory. Collecting this information can easily generate a huge amount of data that must be analyzed to prepare a comprehensive description of what is included in the scope of the project. This is commonly referred to as the system under consideration (SUC). The scope may also be defined in terms of functionality or organizational responsibility.
One question commonly encountered in an SUC is whether the program should be based on guidance for information or operations systems (i.e., IT or OT). While this is presented as a selection between two alternatives, it is seldom this simple. The reality is that an effective program will draw elements from both domains. The protection of information from loss or compromise can be adequately addressed using commonly available information security standards (e.g., ISO 27000), but it is also necessary to address the specific requirements and constraints associated with protecting the underlying physical processes and equipment. Guidance and direction in this area are available from sources such as the ISA/IEC 62443 standards.
When developing an IT/OT approach for an SUC, it is very important to make a distinction between authority, accountability and responsibility. Authority is the power delegated by senior executives to assign duties to all employees for better functioning. Accountability makes a person answerable for his or her work based on their position, strength and skills. Responsibility is the commitment to fulfill a specific task.
While those in an IT or security organization may be responsible for certain tasks (e.g., asset identification and patch management), the accountability for the security of OT systems typically lies in departments like production, maintenance and engineering.
Cybersecurity guidance
With scope, intent, accountability and relevant sources well understood, it is possible to make informed decisions about the guidance or assistance that is best suited for your purpose. In doing so several basic questions should be addressed.
- Sector-specific or common? The first of these is whether the guiding information of choice should be sector-specific or sector-neutral. While the formal may be a good choice in regulated industries, the latter may provide a broader view and range of options.
- What technologies to use? There is also a question of whether source guidance focuses on specific technologies. Examples of this might include advice to use uni-directional gateways for system segmentation.
- Which processes and procedures to follow? Some guidance focuses on the "soft" elements of the cybersecurity response, consisting of processes and procedures. This is typically accompanied by information about organizational models and role definitions.
- What are the normative requirements? In the case of standards, there will be normative requirements that define in detail what must be provided in the response. These are not prescriptive concerning how these elements are employed, but only that they must be present. These requirements form the basis for conformance or compliant assessments.
- What is the supporting rationale? In most cases any guidance or advice included should describe the supporting rationale behind it. The absence of this implies that the guidance is arbitrary.
Ultimately, the proposed response must be described in terms of the requirements that must be met or the expectations to be addressed. Although similar, these are not the same. The former should be described in terms of what improvement(s) must be achieved and how they will be measured. Expectations are somewhat more subjective but are still important. For example, if management expects to see clear changes in behavior through the use of the program, there must be a means to identify this.
