A Deterministic Approach for Cybersecurity Investments
A Deterministic Approach for Cybersecurity Investments
BY SCOTT DICKERSON
April 11, 2019
I previously wrote how a company can benefit from focusing their cybersecurity investments to add strategic value to their business. The most useful investments to make vary depending on the industry a company is in. A logical investment choice for transportation companies should be to protect the operational technology (OT) and IoT systems that make their operations more efficient and ultimately fuel their revenue generation. Unfortunately, the focus for these companies is sometimes solely on IT security compliance requirements, while their real “crown jewels” that are responsible for generating revenue receive little attention. Understanding and managing IT, OT and IoT cyber risks may therefore be an area for improving the strategic value of these organizations’ investments.
As OT cybersecurity is a niche, albeit growing, area, transportation companies are understandably still increasing their capabilities in this area. Certainly awareness of OT cybersecurity issues has increased over the last decade as more security researchers have drawn attention to various vulnerabilities and exploitation opportunities. In addition, there have been several articles and papers written about the differences between OT and IT systems and the applicable cybersecurity best practices. However, minimal focus has been paid to the systemic challenges that may lead to underinvestment in OT cybersecurity controls. This lack of prioritization in investment may be related to:
- A reliance upon an IT-focused cybersecurity risk management strategy that was developed to protect IT systems and data, rather than enabling secure business operations and growth;
- An organizational structure that separates and encumbers effectively securing the IT, OT and IoT systems that have become increasingly interconnected;
- A budget process that is tied to discreet business units rather than business functions that may blur organizational lines, leading to only partial investments in one unit when multiple units require investment;
- A security prioritization process that is focused on compliance requirements (and OT cybersecurity compliance requirements may be nonexistent, minimal or poorly understood); and/or
- Deficient in-house expertise to effectively implement OT cybersecurity controls within the environment.
If any of these systemic issues are present, then the organization may be derailing itself from long-term success. Therefore, a (big) first step may be to understand and address the above challenges. An organization that has a clear cybersecurity strategy aligned to enable its secure business growth can then create an effective cybersecurity roadmap that includes people, process, and technology investment strategies to secure IT, OT and IoT systems. Laying this foundation is critical to allow the organization to make smart long-term investments.
Let’s examine how these ideas could be applied step-by-step to one specific transportation industry – maritime shipping.
- Plot the course and schedule: Create a unified cybersecurity strategy for the organization with a focus on enabling secure business growth. It is vital to gain executive leadership buy-in and support, as people, processes, and technology will ultimately need to be aligned to implement an effective roadmap.
- Assemble the crew: Businesses have a wide variety of organizational structures, ranging from a highly vertical structure to a very flat structure. A cross-cutting team of experts from operations, engineering, IT, security, risk management, and potentially other departments will be needed to manage risk within an acceptable level. Clear sponsors for this cross-cutting team need to be identified.
- Identify obstacles: The company should assess whether they have all the skills needed. Does the organization have gaps present that need to be addressed with additional hiring, training or outsourcing? How will a cross-cutting budget be requested? Do multiple departments need to request funding, or will there be a centralized sponsor for funding that needs to account for cross-departmental requirements to support the program?
- Plan the load: A thorough review of current, near-term, and long-term requirements should be gathered and analyzed. What new capabilities and technologies will need to be accounted for? OT systems will outlive IT and IoT systems and software, so cost-effective investments need to consider those lifespan differences.
- Set sail: It is best to start off on a shorter trip that allows the crew to build trust, gain confidence, and learn about the ship from a new perspective. Keep in mind that the goal isn’t for this to be a single journey towards a specific port
(or implementation or compliance goal), but rather a voyage that may visit multiple ports (or implements additional controls) repeatedly (to mature the control environment).
A roadmap for cybersecurity investments can create long-term strategic value, if approached with a holistic mindset. Depending on a transportation organization’s risk profile, risk appetite and current cybersecurity capabilities, some areas to consider for additional investment may include:
- Adding an OT and IoT cybersecurity risk assessment capability to help inform risk management investment decisions;
- Enhancing network segmentation, hardening, and continuous monitoring of IT, OT and IoT environments to enable effective incident identification and response across the environment to support continuing operations;
- Broadening security awareness training to create a culture within operational environments that is aware of new threats and can identify a potential incident that could impact both the safety and security within operational environments; and
- Providing adequate forecasting and resourcing in terms of people and technology that support recurring processes.
As the transportation industry continues to implement new OT infrastructures that allow for enhanced monitoring and real- time operational decision-making, an implemented cybersecurity roadmap should be equally modern and forward-thinking to enable safety and security decisions at machine speed and scale. Tailored strategies can create efficient, informed defensive layers that allow the organization to counter complex attack chains by design. Does your cybersecurity roadmap align to the business and investment needs of your company?
ABOUT THE AUTHOR
Mr. Scott Dickerson brings over 20 years of combined government, private sector, and consulting experience to the cybersecurity discipline. He has served in senior leadership positions in DHS, DoD, and the private sector and has developed enterprise cybersecurity strategies and risk management programs focused on critical infrastructure protection. These strategies have blended people, process, and technology cybersecurity control efforts with threat analysis, business administration, program management, and information sharing best practices.
As the Founder and Principal of CISO LLC, his passion is to help organizations securely thrive by supporting organizations’ senior leadership teams in their understanding of how specific cybersecurity risk management efforts help enhance the organization’s strategic value. Mr. Dickerson also serves as a Strategic Advisor for the Maritime and Port Security Information Sharing and Analysis Organization (MPS-ISAO) and is organizing the 2019 Maritime Cybersecurity Summit. He can be reached at firstname.lastname@example.org.
Mr. Dickerson holds Master’s degrees in Cybersecurity, Business Administration, and International Policy and Practice as well as the following certifications: C|CISO, CISSP, PMP, Network Forensics Analysis, PCI Professional, C|EH, and TOGAF 9.1 Certified.