Virtually any discussion about securing operations and automation systems arrives at the question of how to affirm the performance and effectiveness of the cybersecurity program. Independent certification of product or system capability and expertise is a valuable tool for the end user as they determine how to best secure their systems. However, it is not a panacea, or even fully adequate for the task. A complete response to this question must address the three major elements of any such program—generally described as people, process, and technology.
Lack of applicable guidance is generally no longer the issue. On the contrary, many stakeholders are most challenged by the need to choose from several possible sources. In addition, standards are intended to be used as references, supported by associated guidance and practical examples. These examples can take the form of representative case studies or use cases that allow the reader to interpret and extrapolate successful examples to their situation.
Considerable effort has gone into the development of frameworks, standards, and recommended practices. These may be sector specific, or more generally focused to enable broader application. While essential for setting minimum expectations, these are often not sufficient to fully address the needs associated with securing operations systems.
How to respond
A solid understanding of the principles, concepts, and terminology is an essential prerequisite, but this is not solely sufficient for the development of an effective cybersecurity program. While there are many possible approaches for accomplishing this, most share several common elements.
As obvious as this may sound, the first element is the identification of clear objectives for the proposed program. Several of these are possible, and each requires a slightly different response.
Perhaps the simplest and most compelling is compliance, typically to a specific regulation or set of external requirements. In regulated industries these may have already been defined by the regulatory body. Examples include the CIP standards defined by NERC, or the CFATS standards for the chemical industry. While compliance is generally forced by an external entity like a government agency or industry group, conformance is voluntary adherence to a standard, rule, specification, requirement, design, process, or practice. It most commonly takes the form of meeting the normative requirements defined in an industry standard.
Regardless of how the objectives are stated, it is very important to understand that neither compliance nor conformity will necessarily make the system secure in any absolute sense. Security is a matter of degree and no matter how much is done, intrusions may occur, and further improvements may be required.
Even if neither compliance nor conformance are the goals, there may still be a desire to reduce the risk of cybersecurity incidents. Regardless of whether the ultimate objective is compliance or conformance, an effective program almost certainly requires a detailed risk assessment. Risk management is an established discipline, and there are many suitable methodologies that may be used, including the approach detailed in the ISA/IEC 62443-3-2 standard.
Once there is a firm grasp of the risks faced, it is possible to identify the most appropriate specifications to be used as the basis for certification. In situations such as regulated industries, this step may be relatively straightforward, as the regulation can also define the specification that must be used.
The end user must take the steps necessary to fully understand and appreciate the implications associated with available certifications. This applies to both certifications of products as well as experts retained to provide services.
It is tempting to use certificates of expertise to determine the qualifications of individuals being considered for providing security related services. Before doing so, it is prudent to fully understand the basis of such certificates, since not all courses and training programs are of equal quality. It is particularly important to confirm that the supporting courses adequately address the characteristics and constraints that are specific or unique to industrial systems.
Before pursuing any relevant certifications, suppliers must fully understand the potential benefits. In some cases, they may be seen as essential qualifications to enter a market, while in other situations they may provide a competitive differentiator.
Finally, it’s important to understand that there may be other important goals driving a desire to certify products or systems. It is essential that these be identified and quantified as part of the basis for the cost and effort required.