Due to the varied structure and nature of diverse manufacturing processes, selecting an ICS cybersecurity services/solutions vendor can be quite challenging. Also, OT security solutions cannot be implemented in same way for different ICS plants.
As cyber-attacks become more complex and attacks on the OT environment have escalated drastically, selecting ICS cybersecurity solutions for delivering various security control needs requires considerable caution and precision.
How to decide what is best for me?
There may be several challenges to overcome while selecting a cybersecurity solution for oneself.
To overcome this barrier, one may simply adopt global standards like ISA/IEC 62443 and NIST 800-82 Guidelines along with sector-specific and any regulatory/compliance needs to define cybersecurity service requirements. The procurement language also needs to be defined which can be utilized during FAT(Factory Acceptance Test) and SAT(Site Acceptance Test).
Below listed are few concerning questions one must brainstorm before selecting ICS security services/solution provider.
To address security requirements, security threats, security targets and implementation costs, a team of professionals from various technologies should be assembled.
This team should include representatives from the following domains:
1. OT Security Head
Should be able to debate cyber security requirements while emphasising the plant’s current security framework.
2. IT Security Head
Should give descriptive information about existing cybersecurity methods used to secure IT components as well as emerging initiatives and trends driving IT technologies. The input should aid in visualising how Industry 4.0 might be improved.
The conduct should be driven by the Chief Technology Officer or Chief Information Security Officer who has the authority to accept any initiative.
Aside from allocating budget for driving security projects, Chief Financial Officer is also accountable for knowing current market trends, security concerns, and other technologies that might increase or hinder plant efficiency for production or loss.
5. Network Administrators
The network administrators are responsible for providing brief insight of current network posture and highlight any impact which will be made after introduction of a new device to the network, or any changes made to the network.
6. Supporting Engineers, Operations & Maintenance Team
Support Engineers who will be participating in drive should provide feedback on any ground level difficulties that may have been ignored. One must also consider the challenges and man days required to provide on-the-ground support without disrupting the process for security implementation.
7. Different Plant Heads
All the plant heads should be a part of the meeting this ensures that the everyone is up to date and should also inform in prior the date of availability for any assessment or changes in the network or any concerns if they have.
To summarise, following the meeting, one should be able to answer the following questions:
- Security Target Level to be achieved.
- Current threats in the existing network.
- Current vulnerabilities in the existing network.
- Existing challenges due to threats/vulnerabilities.
- Current efficiency of production.
- On ground challenges faced by workers.
- Current security needs to achieve next level target.
- Budget for upgrading the security level.
- Understanding the impact of the post upgradation.
- Understanding the loss of production if any.
Here objective is to compile a list of vendors and their respective offerings (Request For Information). Different vendors may offer different services but following listed are some critical services which someone may consider for their security needs:
- Vulnerability Assessment
- ICS Compliance Assessment
- Threat Modelling
- ICS Maturity Assessment
- ICS Security Training
- ICS Security Solution Implementation
- ICS Product Security Assessment
- ICS Security Program Design, Development, and Implementation
- ICS Forensics
Note: Do consider other security portfolio other than mentioned above that can be employed.
Now that we have a list of vendors and their offerings (Request for information), we can develop a series of questions for discussion addressing one’s own security needs. The purpose of asking questions should be able to evaluate one’s offering. Here are few questions to help in evaluation:
- Evaluate vendors’ expertise on the topic
- Evaluate vendors success stories, past experience
- Assess the team’s composition
- Evaluate Team strength, overall experience, and relevant experience
- Determine whether the offerings made meet your requirement
- Evaluate past experiences of assessment for similar needs
- Evaluate work force required
- Evaluate which tools will be used
- Calculate the number of man days required
- Determine the amount of assistance needed to carry out the drill
- Determine the service charges
- Post assessment support
Note: Please do document MoM (Minutes of Meeting) for each meeting with the vendor.
Connecting the dots
Now that one has gathered all basic relevant information, you can begin analysing more to meet your requirements. Do consider Best Approach, Value-Additions vendor is bringing on Table, POCs being offered etc.
Once finalized, one can now proceed with RFP (request for proposal)
Selecting an ICS cyber security services/solutions vendor can be difficult at time, we hope that our blog would help you guide through selecting vendor based on your needs. We have summarised an overview in a flow chart to help assist you.!
Additional Contributor: Gaurav Bhosale