How to talk to the business about cyber security in ICS/OT? For me, it is all about where and how we demonstrate value. *TIP* This works in IT too. A great tool to use is the Sliding Scale of Cyber Security developed by Robert M. Lee. The Sliding Scale breaks down cyber security controls into five areas: 1. Architecture (Highest risk reduction / Lowest cost) The fundamentals of security which include secure network architecture, system hardening, anti-malware defenses, security patching, etc. 2. Passive Defense Automated security controls the help manage security, such as an intrusion detection system that watches network traffic and can alert an analyst when something suspicious requires investigation. 3. Active Defense Having the people in place to perform pro-active security such as threat hunting, looking for signs of an attacker in the environment that traditional controls and passive defense will miss. 4. Intelligence Leveraging threat intel, whether built internally or purchased, to help strengthen the other security areas on the Sliding Scale, such as leverage IOCs associated with a known attack group for threat hunting and intrusion detection. 5. Offense (Least risk reduction / Highest cost) Penetration testing and similar activities for identifying gaps in the security program for improvement. It is extremely helpful in conversations with the business because it can help you understand reducing risk and determining relative costs by highlighting: 1. Which areas of cyber security reduce risk the most (those to the left) 2. Which cyber security controls cost more than others (those to the right) 3. the most cost effective "next steps" for your own environment With the Sliding Scale, you can: -> Look at the maturity of each area for your own special environment -> Better understand the next logical step to reduce risk in the environment -> Put the associated costs into perspective for planning purposes and budgeting discussions with the business/asset owners & operators Putting things into perspective for planning purposes and budgeting decisions: Where do we get the most risk reduction at the best price? Special thanks to those that helped Rob in the creation and fine tuning of the Sliding Scale of Cyber Security - Thomas Rid, the late Michael Assante, Lenny Zeltser, and Tim Conway. #CyberSecurity #Power #Safety #Rail #Petrochemical #Refinery #Cyber #Rail #UtilSec #ICSSecurity #OTSecurity #ICSCyberSecurity #OTCyberSecurity #IT #ICS #OT #Budgeting #RiskManagement
Like the approach. Not a fan of the 5 chosen or the ordering.
Mike loved the pictorial which is speaking louder than words specially from bottom to top approach in terms of value which is one of the major concern these days as a "security budget" v/s timeline for particular business case. Specially below snapshot is great enabler which have taken attention by most of the end-users be it system hardening (for Brownfield assets) OR special attention on engineered infrastructure and associated security framework (for greenfield upcoming assets).
Great concept, but the order and costs seem completely arbitrary.
Very interesting Mike Holcomb. I always thought Offense (number 5) was about taking action against an attacker outside of “your” networks.
I would add end-user training and awareness to this too, which is a huge part of it. I would guess that the cost would be so small that it would barely register on the pyramid image.
You can listen to all of the advice and add or take away, but overall I like your approach, as Dale said, (but I don't agree with him on the ordering not being right). Makes sense based on the chosen factors. Thanks for putting it out there!
Hello Mike Holcomb, Thanks for the diagram, great info graphic. Do you think something like this would get business owners, CEO’s,and the seats at the board table to realize this easily to follow chart? Two options, defensive funding now or bracing for possible crisis bitcoin funding in the future. Well done!
Mike Nicely Explain “Comprehensive overview of how to adopt the best approach in ensuring the security of digital assets” I found this post to be highly informative and thoughtful, let me write ✍️ it in my own words and share it to my network.
thanks Mike, for the architecture persepective, is there a way to know the standard design/architecture or atleast arrive at the standard architecture,,specially for metro/mainline Railways...thanks
Helping You Secure ICS/OT | Fellow, ICS/OT Cybersecurity Global Lead
9moFor those looking for the original write up by Rob Lee, you can find it at https://www.sans.org/white-papers/36240/.