Get the Most Out of Your Cybersecurity Assessment

March 4, 2019
Performing a cybersecurity assessment on your industrial control system environment will allow you to address potential threats before they become realized attacks.

Unfortunately, we live in a digital world where manufacturing plants are often targeted by cyber attacks. This can cause devastating results for the manufacturing and operational technology environments. Having a better understanding of what controls and gaps your environment has or is missing can help in the decision-making process. One way a plant can better gauge cybersecurity posture is by conducting a cybersecurity assessment.

If a plant has the personnel, resources and cybersecurity knowledge, an internal assessment can be highly effective. For those who don’t, an independent external cybersecurity assessment can provide a fresh and unbiased perspective of how the plant is performing. Choosing a company to perform a cybersecurity assessment can be challenging because there is no shortage of options. However, there are a few factors to consider before you make a decision.

Companies that have been performing cybersecurity assessments for years are typically staffed with cybersecurity experts. However, many of those assessors are IT cybersecurity professionals, meaning the assessment will be an IT-focused assessment. For a cybersecurity assessment in a plant or manufacturing environment, it is beneficial for the auditors or assessors to have a thorough understanding of the intricacies of technology systems in a manufacturing environment, as it differs from a typical IT environment. When the assessor is equipped with this knowledge, you will receive better and more targeted assessment results related to the operational technology within your environment.

Many organizations already have a way of performing a cybersecurity assessment. For example, you could check against controls you have defined as best practices. This is acceptable if your plant is unaware of or does not have standards to be assessed against.

If your plant wants to become more cyber-conscious, you might already have a framework or set of cybersecurity policies that would provide more value when verifying the compliance of your framework or policies. If this is true for your plant, ensure that the assessing organization can scope the assessment and verify the cybersecurity controls and culture your plant is looking to achieve.

Brandon Bohle is MIT analyst III at Interstates Control Systems Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Interstates Control Systems, visit its profile on the Industrial Automation Exchange.