Cybersecurity Maturity Across the Automation System Lifecycle

Overview

Improving the cybersecurity of automation systems remains a topic of considerable interest for suppliers, end users, government agencies, and other stakeholders. Just as with areas such as safety and quality, lasting improvement requires a continuous improvement approach that addresses all aspects of the opportunity. Single projects are seldom effective, and any gains achieved can be difficult to sustain. Maturity assessment has become an essential element of cybersecurity programs but there are several such models available, and it can be a challenge to determine the best alternative. Moreover, maturity models can be quite complex and difficult to implement.

This Insight describes how maturity assessments can be used in conjunction with other methods to address cybersecurity risks that are present at all stages of the solution lifecycle.

The Cybersecurity Imperative

Improving the cybersecurity of automation systems has been an area of focus for almost two decades. Awareness of the seriousness of the challenge continues to increase, due in large part to efforts on the part of industry associations, standards bodies, and suppliers to share information about potential threats, current vulnerabilities, and examples of negative consequences. This has also led to an increased understanding of the size and scope of the problem. Virtually all industry sectors that employ these systems face varying degrees of risk in this area.

Although much has been done to address this imperative, challenges remain. Products and supporting technologies have been improved, but the capabilities of legacy products and systems are still inadequate. New systems must be designed and configured with security as an important consideration, and asset owners must take the steps necessary to secure their current systems.

From Awareness to Justification

Although essential, awareness and understanding of the potential risks are not sufficient. End user companies operate in an environment that includes all manner of risks, and it is always a challenge to convince decision-makers to approve the investments necessary to address specific examples. Just as with any investment, there must be some sort of return. It is common to justify cybersecurity-related efforts by focusing on the possible consequences of inadequate security, such as loss of production, loss of intellectual property, damage to physical processes and equipment, and loss of company reputation.

Limits to Progress

If we accept the premise that there has not been sufficient progress in addressing the cybersecurity imperative, it leads to the obvious question of what is limiting progress. Many of the causes are long-standing and well known.

• Size and Complexity – The safe and reliable operation of large industrial and manufacturing plants, mills, and other facilities require the use of similarly complex automation systems. These systems typically undergo incremental change and improvement over time, and current configuration records are often not available. Thus, a detailed inventory is the first step in a cybersecurity program.
• Limited coordination – Successfully addressing the industrial cybersecurity challenge requires understanding and coordinating many "moving parts." Unfortunately, it is seldom obvious who is best positioned to provide this coordination. End users often do not see the need for such coordination. There are some examples of success in the context of trade associations, but these are often limited to larger companies within a specific sector.
• Risk awareness – Even if the automation systems and the underlying processes are well documented and understood, there may not be an appreciation of the types of degree of risks faced in their operation. Without a risk assessment, there is often not a response to potential threats.
• Lack of Incentive – If there is no compelling business case or external forces like regulations that compel a response then the result is a lack of incentive to improve the cybersecurity of the systems in question. Therefore, no such improvements are made, or at best they are made very slowly.
• Confusion about responsibility – It is not always clear who is responsible for what elements of the response. The best example of this is the ongoing debate about whether securing automation systems is the responsibility of the IT or the OT organizations. The reality is that both have a role to play and moving past the debate to cooperation is essential for meaningful progress.
• Want of a single solution – Although there is a natural desire for a single solution that meets all the needs or requirements, this can lead to a situation known colloquially as "Better is the enemy of the good," where meaningful improvements can be delayed or bypassed while waiting for a better solution. The simple truth is that there will always be something better in the future, and yet we will never find a perfect solution. It is better to implement what is available in a manner that allows incremental improvement as new capabilities emerge.

Continuous Improvement

Given the inherent size and complexity of the problem and the impediments listed above, it is impossible to make substantial improvements to automation systems’ security by applying single measures. The required response must be seen as more of a process than a project with a defined beginning and a defined end. A continuous improvement program can be an effective approach for defining and delivering the changes needed to address cybersecurity risks.

ARC Advisory Group clients can view the complete report at  ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Keywords: Cybersecurity, Lifecycle, Maturity, Metrics, Performance, Risk Management, ARC Advisory Group.