Representative End User Clients
Representative Automation Clients
Representative Software Clients
Asset owners and end users have access to many standards, guidelines, and practices related to industrial systems cybersecurity. Some of these are sector- or industry-specific, while are others are more broadly focused. Perhaps the biggest challenge is how to choose the most appropriate source for guidance. However, in almost every case, the emphasis is on how to design and establish an effective industrial cybersecurity program. While this is certainly important, it is equally important to have a plan for how to manage such a program once it is in place. Experience in subject areas such as maintenance and safety has shown us that creating a program is only the first challenge. Unless there is a commitment and sustained effort to manage and support the program, its effectiveness will inevitably decline.
You cannot address the cybersecurity of industrial systems as a “project,” since the effort must continue indefinitely as the nature of the risk evolves. While the consequence component of risk may be relatively constant, the threats and vulnerabilities can change rapidly as technology changes. The asset owner must be able to measure program effectiveness on an ongoing basis to determine if and when it may be appropriate to shift emphasis to new areas.
The ISA and IEC 62443 standards and other sources of guidance refer to the use of maturity levels as part of this exercise. The exact nature of these levels may vary, but the concept is well accepted. ARC has published research on a proposed maturity model and similar models appear in various standards.
ARC Cybersecurity Maturity Model
Concepts are certainly useful, but moving from a concept to execution can be a challenge. Some of the many questions that must be addressed include:
- How and where should we begin to implement a model and the processes necessary to apply it?
- How can we measure effectiveness and decide where to apply limited resources to making improvements?
- What is the best framework for comparing our performance to that of our peers?
- When should we consider new and developing technologies for inclusion into our program?
- How can we translate opportunities into a comprehensive investment plan?
Case studies can provide an effective way to address these and related questions, but this requires that asset owners share their experiences, both good and bad. Many are reluctant to share such information, fearing that doing so may expose themselves to unwelcome scrutiny. This concern can be addressed by creating anonymous or generic case studies that describe the situation and lessons learned, without revealing too many details or identifying the specific companies. User groups and industry associations can and should take up this challenge.
The ISA99 committee has recently formed a new work group tasked with creating a set of case studies that will demonstrate the application of the fundamental concepts in the 62443 standards, including maturity models.
The upcoming 21st Annual ARC Industry Forum in Orlando will feature a dedicated workshop on this subject where panelists will share their experiences and observations on how to sustain and manage an existing industrial cybersecurity program. Workshop attendees will be encouraged to share their experiences, and ask questions of these experts.