Ivan Alcoforado, CISSP, PMP
The cybersecurity landscape has changed and evolved to more sophisticated threats targeting the enterprise IT and industrial automation and control systems (IACS) supporting pipelines, refineries, manufacturing and power plants, mining, and railways. It is evident that critical infrastructure organizations must appropriately manage this new risk in their environments.
Very often, however, we find that organizations jump to the implementation stage without adequately establishing all of the processes needed to achieve their goals. From failing to establish cybersecurity risk management targets to having little oversight over metrics and controls, these companies do not have an IACS security program with proper governance.
IACS security and IT security are usually undertaken by separate teams with different drivers and requirements. The IACS devices (e.g., distributed control systems, programmable logic controllers, supervisory control and data acquisition) are managed by the engineering or automation department, whilst the IT components (e.g., IP network, infrastructure, servers, operating systems) are the responsibility of the IT department. Without proper coordination, there is often uncertainty about where the responsibility for IACS support and security lies, and gaps occur in the organization’s security capabilities.
I believe we need IACS and IT security strategies to be aligned to the business, ensuring that resources are allocated in an efficient and effective manner to bring consistent results. These results need to be measurable, comparable and in line with the company’s risk appetite.
Failure to establish proper IACS security governance can lead to poor management of risk with dire consequences to the organization’s operations. It may lead to individual security project flops, operational impacts to the very IACS we are trying to protect or to overestimating the organization’s own cybersecurity capabilities.
My recent ISACA Journal article talks about leveraging industry standards to build an IACS program with an adequate governance structure. This should give senior management a better view of the company’s IACS risk profile, enable clearer communications with all stakeholders, optimize the allocation of resources, and give clarity of roles to engineers, IT security professionals and IT auditors when it comes to IACS security.
Read Ivan Alcoforado’s recent ISACA Journal article:
“Leveraging Industry Standards to Deal with Industrial Cybersecurity Risk,” ISACA Journal, volume 6, 2014.