Most companies are not compliant with mandatory industry or governmental guidance and regulations relating to their cybersecurity practices. In fact, only 23% of companies who participated in a 2018 Kaspersky study report that they meet the standards. [1]
Even further, 56% of companies say they will increase their cybersecurity budgets in the next year due to potential incidents and risks associated with their current infrastructure and policies. [1]
One of the first investments your organization can make is to perform a Cyber Criticality Assessment. A Cyber Criticality Assessment is a process that allows organizations to identify general threats, determine the worst-case impact, whether it’s Financial, Safety, Health, Environmental, or otherwise, of devices/software becoming unavailable, unreliable, or compromised. The assessment process includes a survey, a vulnerability assessment, and a risk assessment to allow your organization to determine the severity of the consequences should a device or network not perform as intended.
While teams in your organization could perform a cybersecurity assessment internally, there are key benefits from inviting professionally certified expert third party to perform this task for you.
1. Unbiased approach to your system.
Third-Party Assessment teams, who do not represent any hardware or software manufactures, take an unbiased approach to your system. While internal teams may have critical knowledge of your control system and may have even designed it, third-party assessors can see the high-level view of your control system as well as the minute parts of it. They will see gaps in a system that internal teams can miss.
This is doubly important when it comes to Operational Technology (OT) and Industrial Control Systems (ICS) because all control system manufacturers have their own products and solutions for implementation. An unbiased third-party assessment team, especially one with a deep understanding of OT systems can connect manufacturer solutions with industry best-practices for solutions that fit your requirements.
2. Cybersecurity experts with the necessary background are difficult, if not impossible, to find.
The cybersecurity industry is expanding and growing at an astounding rate, and the demand for qualified and experienced professionals is fierce. Even when they can’t find qualified professionals to hire, many companies are still hesitant to hire outside help. According to a Kaspersky study released in 2018, 92% of companies who participated in the Kaspersky study prefer to maintain in-house OT and ICS cybersecurity personnel [1]. At the same time, 58% percent of companies find it difficult to find and hire employees with the necessary skills to address their organization’s OT/ICS cybersecurity challenges [1].
- Is your company in a position to contribute resources to compete in the cybersecurity hiring market?
- Is your company willing to be responsible for the cost of ongoing training, specialization, and other costs that come with hiring full-time personnel?
- Does your company have the time and capacity to invest in a ground-up OT/ICS cybersecurity program from within?
If not, you might consider working with a third-party OT/ICS cybersecurity team who has the expertise and to do the bulk of the work for you.
3. IT vs. OT – It’s not a competition, it’s a complementary approach.
Cooperation and collaboration between OT and Information Technology (IT) is critical for your company’s complete, comprehensive cybersecurity investment. But does your IT team have OT knowledge and expertise?
A third-party assessment team with an OT/ICS background can connect manufacturer products and solutions with industry best-practices and methodologies that meet your requirements. They fill in the OT knowledge gaps that your IT team may lack. For example, assessors with OT backgrounds can provide insight on which control hardware your system uses that meet ISASecure® standards [2]. This is especially critical if your control system uses hardware and software from many different manufacturers.
A top-rated cybersecurity team with both IT and OT backgrounds can help to ensure that your cybersecurity assessment includes all aspects of your control system and business networks while working with your already-established IT team.
If you’re interested in learning more about Cybersecurity System Assessments for your system and establishing a strong foundation for your company’s cybersecurity policies and procedures, click here to reach out to Champion’s team of cybersecurity experts.
Champion Technology Services, Inc. is an industrial control systems integrator that provides cybersecurity services across the United States and abroad. Our team includes ISA/IEC 62443 Cybersecurity Experts and GICSP (Global Industrial Cyber Security Professional)-certified professionals. We help small, medium, and large companies assess their existing control systems and implement cybersecurity protocols that meet their facility’s requirements while maintaining our status as an unbiased third-party cybersecurity solution provider.
References:
[1] Kaspersky, “2018-Kaspersky-ICS-Whitepaper.pdf,” 2019. [Online]. Available: https://ics.kaspersky.com/media/2018-Kaspersky-ICS-Whitepaper.pdf
[2] ISA, [Online]. Available: https://www.isasecure.org/en-US/Certification
[3] Savoy Stewart, “firms-investment-on-cyber-security-by-industry,” [Online]. Available: https://www.savoystewart.co.uk/blog/firms-investment-on-cyber-security-by-industry