September is one of the key times for the development and submission of an annual industrial cybersecurity plan. It will cover the company’s needs in the last four months of the year and will give us a more assured forecast for the following year. In the wake of recent attacks, threats and infrastructure vulnerability, it is imperative that all companies, regardless of size, consider the need for an industrial cybersecurity plan. Knowing the specific needs of the business and the teams as well as the budget and objectives are the basis for the development of the plan. What exactly is an industrial cybersecurity plan and how is it done?
All industrial assets and critical infrastructures can be attacked. Acting at an early stage, anticipating potential threats will help us to have peace of mind and confidence that we are digitally protected. However, a resilience plan must be developed to be prepared in the event of an attack. This plan is part of the Company’s industrial cybersecurity plan.
Why does your company need an industrial cybersecurity plan?
All companies clearly know that they must have a plan for sales – marketing, finance, investment and growth, etc., for their correct operation. The industrial cybersecurity plan is often one of the most neglected, perhaps due to the recent incorporation of IT technology into the OT operational environment. Currently, they are of vital importance not only to be able to attend to a given incident but above all, to work with anticipation and foresight. It is essential to have the organisation, resources and budget in place to ensure sufficient protection. The plan must always be present, published, updated and audited.
Industrial assets increasingly use technology from the IT environment. Threats and vulnerabilities are inherited from that environment. New ones appear to attack only industrial equipment and systems. However, it must be protected to prevent cyberattacks and hackers from doing their worst and causing significant damage, which can affect the people, facilities and the environment safety.
It is essential and should already be a key part of any corporate budget, to put in place an industrial cybersecurity plan. We must avoid major problems and exorbitant costs to fix what can be foreseen. Any company, regardless of size, can be vulnerable to a cyberattack. Everything has a value. The global cost of cybercrime is as high as $73 million per year (source: Ponemon Institute) with a 600% increase in cyberattacks during the pandemic.
What is an Industrial Cybersecurity Plan?
An Industrial Cybersecurity Plan is the document that (like all plans) sets out the needs, objectives, actions, resources and budgets in the specific field and area to be worked on in the company (in this case, cybersecurity in the industrial process).
The initial job is to identify the assets to be protected. Analyse the threats and risks they face. Vulnerability options that present a threat
Once this analysis has been carried out, the plan will include the necessary actions and strategies for protecting the assets to be protected, the creation of procedures and the training of employees. These tasks must be implemented on a continuous and sustainable basis to ensure full protection.
Finally, and in parallel to the action plan, the human resources and budget that each action will require must be included. The budget is essential and should be seen as a business investment to increase its security. Avoiding the expense of incident resolution when faced with a threat is a major premise.
Steps to create a company cybersecurity plan
Several steps must be taken to draw up a proper and, above all, useful cybersecurity plan. A basis that will lead us to success by including all the necessary items in the plan as well as the organisation, resources, budget, etc…
Situation analysis – cybersecurity risks
Knowing what we need to protect is the starting point for making the right decisions. An analysis of the current situation is essential to identify the cybersecurity gaps and risks within the company.
Existing mitigation measures should be assessed and identified, how they have performed and what are their weaknesses. From this, combined with an updated risk analysis, it will be possible to assess the action plans to be implemented.
Setting objectives
With the analysis carried out in detail and in depth, the unacceptable risks are identified, which will set the objectives in cybersecurity. Priorities will be identified for the next few months. It is essential to make modifications to the plan, depending on internal deviations and the external context.
Setting the company’s cybersecurity objectives should be done with a “bird’s-eye view”. It will be necessary to include and consider the rest of the company’s objectives: sales representative, financial, expansion. Everything influences and affects cybersecurity, especially in the industrial environment.
Existing controls vs required controls
Although the situation analysis has reviewed the company’s existing controls in cybersecurity, it is worth devoting a separate section to this issue.
Evaluate existing and available risk mitigation technology. We will work with them and assess whether they are sufficient or need to be upgraded, or whether new controls are required. From this, we will derive the resources, budget and timelines to achieve the set objectives.
It is imperative that we are in line with the technology in the market, the latest developments. The environment is fast-moving, ever-changing and we must always be up to date.
The ideal security framework for the business context
First of all, we need to know what the level of cybersecurity in the company is. This is perhaps the most important task, because if we do not know where we are, it will be very difficult to know where we want to go and what actions we need to take.
Knowing the unacceptable risks we face and the vulnerabilities to which industrial assets are exposed, we can determine the objective security framework for our company.
Risk Management Plan
Consider the real risks we are exposed to. This is one of the essential parts of an industrial cybersecurity plan. What potential risks do we really have? Which ones will affect the company and at what level?
To make this analysis and risk management plan easier, consider security areas and “policies”:
– Retention Policy.
– Data privacy policy.
– Data Protection Policy.
– Systems use policy.
– Incident response plan.
Implementation of the plan
A plan is useless if it is not implemented if it is not activated. The actions described in the plan should include the resources required, the budget allocated and the deadlines for implementation.
If necessary, appropriate measures will be taken in terms of strengthening the team with external staff. Investments will be made in tools and technology.
Measure results
What is not measured does not exist. As a complement to the plan, it is necessary to establish a table of monitoring indicators (Kip’s) and metrics that allow us to evaluate the level of maturity achieved in terms of action implementation.
Each control shall be monitored in real time and action shall be taken on any deviations that occur. Preventive actions will be tested from time to time to identify whether they are working and whether they will be ready for any incidents.
Everything must be aligned in an industrial cybersecurity plan. From what is happening, threats, weaknesses, the actions to be taken, the timing, the budget and the results it is delivering.
However, an incident can occur at any time. An incident response plan must be in place, tested and employees trained.
With a cybersecurity plan in place, we will be right on track, although we must remember that cybercriminals are still out there and always find new ways to do their misdeeds.
It should not be forgotten that this is a process of continuous improvement.
A broad, detailed and fully focused specialisation in industrial cybersecurity is a must for an OT manager to handle the risks in the Company’s Operations environment.
With CCI Online Professional School in Industrial Cybersecurity you will acquire all the necessary knowledge not only to draw up a Cybersecurity Plan but also to respond to all the peculiarities of the position.
Get in touch with us and check all training available: school@cci-es.org